Hackers Can Phish with PLAINTEXT QR Codes
ฝัง
- เผยแพร่เมื่อ 25 มี.ค. 2024
- jh.live/keeper || Keeper Security offers a privileged access management solution to deliver enterprise grade protection all in one unified platform -- keep your users, your data, and your environment secure with Keeper! jh.live/keeper
My scrappy Python code: github.com/JohnHammond/qr2uni...
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥TH-cam ALGORITHM ➡ Like, Comment, & Subscribe!
PS -- I see in the comments that `qrencode -t` would work just as well. That works great, but may still need some tweaking to be full-width characters and "monospace" to copy-paste into an email (or Sans font). Might be a worth a TH-cam Short 🤪
There's always someone in the comments who has a faster/shorter solution 😆 This way round is the better story though 👍
@@darkshoxx There's also -m for setting the margin, which I found while writing the folowing (lil' optimisation for finding the margins):
For finding the min and max, you could stop at the first black pixel you hit, as it will always be the top-left corner, and then loop from the [width, height] back to zero to find the right-bottom corner. This skips looping through the whole QR
Couldn't stop myself when I saw the full-image scanning
Edit:
for block-size, from the top-left corner that we found, we can go diagonally until we find a white pixel. That means we're inside the 'marker' outer border = we're in block 2,2
Sorry for editing, I write as I watch
You could use an empty braille character as a space. "⠀" U2800
I saw this in a video where the person made Flappy Bird as small as possible, using braille as the pixels. I can't find that video, though :(
GPT says the same
Excellent video as always, sir! Would you consider doing a walk-through of my teams CTF for DC32?
The company I work for did do the office 356 QR code email to see how many employees would fall for the scam. props for the Ciso team
I like how your Hello World QR code looks like someone dancing and removing their hat right in the middle
lol you right
Everyone's looks like that. Aren't you coding along?
I rewound the video to see this and it’s amazing. Thanks for your comment! 😊
Ha n1
You know if you're using an Android phone, the camera app will scan QR codes without needing an app with ads. At least my Pixel does. Google Lens is tied into the camera app so if I just open the camera and hold it up, Lens recognizes there's a QR in the viewfinder and gives me the link.
Edit: note to self - finish the video before commenting.
And on iOS you also have QR code scanning in the camera app.
It depends on the specific vendor. On some camera apps, it is not available (but on most it is). On LineageOS, it is a separate tab.
There's also Binary Eye, which is a FOSS app that can scan all sorts of barcode types, not just QR codes
Random thought... You can use Excel to display a QR code... in a variety of ways. An easy way is to use conditional formatting to shade the appropriate cells, and make the column width the same as the height. Pretty sure I did that for a CTF last year. Python is way cooler though! :-)
The blank space in unicode should be U+00A0 (the infamous ALT+255)
I wonder, for the sake of making it smaller, if we could use those half-blocks (upper-half and lower-half) together with the full block and the empty block, to sort of generate a QR code that's 4 times as small and has the same pixels :) I guess all we'd need would be to add an extra row at the end if the number of rows is odd, and then parse the rows 2 by 2, to compose each block.
Yes, the qrencode tool does exactly this with it's utf8 output format
No, the non-breaking space is exactly the same size as the normal ' ' character.
I was thinking the same on using the half blocks.
why not the zero width non-joiner?
\u200c
I think a braille empty character could have worked as a spacer in this case. Not really sure if it is the exact same width as any of the blocks off the top of my head, but could also possibly work with one of the different width blocks regardless.
my thoughts exactly
ye that “invisible” one
or since its an email, literally just changing the font color to white and use the same character, just in white
@@aidan7913 Nof if the recipient uses dark mode
@@darkshoxx usually you can send an email with custom styling that isn't overwritten by the email client. dark mode doesn't matter if you set some html element to have a background color
I was not getting the concept of "plaintext QR" at first. AWESOME idea! 😆
This code is brilliant. You rock man, did you come up with this algorithm yourself? Good stuff!
Beautiful. Amazing idea, easily understandable solution. For empty characters I recommend U+2800 which is the empty Braille character. The Braille characters are often used for pixel art in things like twitch chat, and that one “⠀” should have the right size no matter which font.
Cool
Try the "Figure Space" (U+2007). But it depends on the font. There is a whole selection of spaces in different widths called -per-Em Space.
The best thing to do is use the same character in different colors.
That was awesome,
Loved the video!
That really isn't a bad idea for a phishing campaign at all John. Nice job man.
Shoot, even the ASCII table has block characters. I used them regularly in the '90s to create DOS UIs.
ASCII does not, you're probably thinking of CP437.
@@icantcomeupwithnames469 Ah, the infamous "
MODE CON CODEPAGE PREPARE=(437, C:\DOS\EGA.CPI)
MODE CON CODEPAGE SELECT=437
"
(Whoops, I never got *that Emoji-selector* before ! Was that a Windows Update, or is Win+[Period] hijacked by YT?)
I like the sound of this one !
An alternate (and slightly faster) way to determine block size is to march along the diagonal from the first black pixel to the first white along x=y from the top left corner as per qr spec that will be your first "block".The top left positioning marker will always be 1 block thin.
That's Qr code so cute i like this video thank you SM ❤😂
This is actually really smart!
Since you mentioned qrencode, is the python script any different from what "qrencode -t utf8" does?
Nothing really
I think he’s just padding the video because this whole python section is totally obsolete.
I guess probably it won’t align well with some mail clients maybe
@@shamringo7438 He didn't RFM
Beautiful t-shirt John
I remember I wrote a bash script(just some loops with ImageMagick inside) that would translate an image to morse code based on the black and white pixels. I thought this could also be done with a QR image, when instead of dot/dash, just set it to a binary 0 or 1.
Then later just replace the 0s with the White Square and the 1s with a Black Square and put a newline at the Nth character
15:35 (-ish) you could combine lines 40-43 into a one-liner:
row.append(int(middle_pixel_value < binary_threshold))
because int(True) == 1 and int(False) == 0
maybe less readable, but might run a tiny bit faster
Audio slightly off?
I generally thought it was cos I had earphones on but less it not me 😅
seems like it
11:56 that’s when you know you program in js too much
or C or C++ or C# or quite literally most programming languages
Please John may you tell us your keyboard brand/model? That looks so nice and the sound as well. That would be so appreciated! Love the content as always
You probably could have saved yourself a lot of time with qrencode’s -t flag that allows outputting to various text-based formats 😉
Gnome switched to Loupe image viewer.
Also `qrencode -t UTF8` will do that for you. Lol, always RTM
But someone seeing an ASCII QR code will be more wary, maybe.
A different approach to distributing QR Codes that's perhaps less spearphish-y would be printing out a bunch of stickers with a malicious QR Code and putting them up around town. Bonus points for getting some buddies to print some in other towns too.
Great video
you could've used a blank braille pattern (u2800) as a replacement for the spaces
I believe vertical tabs should be used instead of newlines in the qr code in order to get rid of the gap between each line
Neat! Fun stuff.
This is how lots of image to ASCII app thinguies work btw. xD Turn image file into a matrix of numbers, replace numbers with ASCII characters of choice, print it out.
For the QR Code phishing though... can't e-mail administrators just drop all e-mail that comes with this set of ASCII characters that can be used to reproduce QR codes though? Really asking, I dunno how much filtering you can really do.
Can't really do it with a filter that only excludes images from e-mail, but if you have full access to text, probably, right?
I think you could use the quadrant characters to make the code 4 times smaller and better fit on screens.
You have uniform white space baked into the quadrants/halves in the very unicode table you've shown in the video.
10:19 How did that not crash?!? When I tried indexing like pixels[x,y] instead of pixels[x][y] it crashed with a TypeError telling me list indices must be integers or slices, not tuples.
hi John i need your advice:
what's the important concepts i have to focus on it in network for a beginner hacker
That's genius
Cool!
Wouldn't the "em space" work or would plain text render it as a normal space
Wow is this in the wild, Or did you come up with this ?
Haha "no one matter, nothing cares"
This man can communicate to code like none of us can but struggles to communicate with his fellow beings
What a time to be alive
I spot a dear fellow scholar 😄
Blocking QR codes is incredibly challenging. This is like asking admins to "block any email with an image of a chair"....except even worse w/ QR codes because you actually need to extract what the QR code is doing and where it sends you, analyze that, and then block or forward the message. So, "find anything that looks like a 'chair' in the email, extract the color of the chair and then only allow green chairs to be sent, block all other chairs". Way harder than people think.
And keep in mind there are more ways to display QR besides ASCII (and of course PNG/JPG, etc.). You can do this in CSS, HTML tables, SVG, Excel (yes paint the cells and form a qr code in an EXCEL document that would almost certainly bypass ALL MTA security). Vector Markup Language is yet another potential method....
It's really not hard to detect QR codes... this is literally how QR code scanners work; detect the QR code and decode it-that's the whole point of barcodes in general; to be easily machine-readable in many different conditions.
A QR code just contains plain text so you can interpret the content however you want. It's not at all comparable with detecting chairs in an image.
And if you think detecting non-image variants of QR codes would be hard, think again; simply render the email/content into an image (i.e. via. a browser) and perform the detection... like any scanner does; and it won't be slow either, even with a low-end CPU.
Corporate environments often just block all images by default from external senders. You can enable them on a per-sender basis.
@@capability-snob you’re trolling right? LOL
@@johnlockieI work in a company of >5000 information workers. I'm in an app dev team; so I'd make different decisions to IT, but our outlook 365 instance blocks images by default.
I've seen worse. In one branch of state government, we couldn't even _receive_ emails from outside addresses without first getting ourselves added to a special list. Imagine the fun of discovering that one for the first time.
Estaria bueno algo de android reverse tcp. 😂😂 exelente video
Menus at restaurants are mostly phising 😊😊😊
2:48 I was expecting a "plz sub"
Just curious, why not just do `$ qrencode -t UTF8 --casesensitive --8bit "$URL"` (replace var URL or string such as "hello world") from BASH?
Ah the nice audio sync
The reason for the black boxes us for you not check the whole image
Isn't UTF (anything) encoded email against the RFC for the various email protocols?
Doubt it, because that would mean you'd only be able to email in English.
Instead of nested loops with if/else logic inside it, you should just use `map`. Say what you mean: replacing two values with two strings should be stated directly, not explained how to do it in elaborate detail.
Python supports UTF8 in strings...
damn thats crazy
QR codes has its uses but the problem is how do I verify that I'm using the correct QR code . The next thing is how do we inform the users what is a safe QR code ?
The words "O its safe it's from iIT they used QR codes for wifi so this must be safe"
Isn’t there a cmd tool to make QR codes ?
Luckily for us, only 18k people saw it
Couldn’t you use the Square Emojis as black and white, if they would have the perfect size. (⬜️⬛️)
DING!😁
I never scan any qr codes to begin with or open links sent in email or by sms, I know some are propably safe but better safe than sorry
"no-one matters and nothing cares" 💀
Money and can't return me how to return this
how long the QR works ? ,forever whitout payment ?
a QR is just generated once and costs nothing, it works forever :)
Hi
Hi have you heard of Occupy Theweb John? Just wondering if you do know him...
if not... he should
Brother what
@@matteovalentino4890 what what???
i found a bug in this video 😂
😈
i don't think he offers bug bounty
@@nixoncode its like self xss bro nit in the scope 🙂😹
Sir some people cheat with my
i just pissed on my wall
nothing is freee dear sir there is a hiddden ajenda
Sir I have lost my 8 lack yesterday plz help me out plzzz
○
More malware hahahahahahhaha
U+3000
ok am i pinned?
This was confusing. I thought I'd learn something about the inner workings of qr codes and how attackers use them for exploitation. Instead we built a janky qrcode image parser. Like why? Every Python qrcode library will give you the raw qrcode, no need for conversion or pixel scaling. Some even create UTF8 character arrays or ASCII art output, which would have achieved the exact same thing, ready to use. Instead of "Hackers Can Phish with PLAINTEXT QR Codes" this was mostly "How to read an image using PIL and look at each pixels color value".
Same here. Didn't get the point of the script. Was waiting for the hack thing.
Thought I was the only one who noticed that...
@@TheBBoyQ Clickbait titles youtubers make.
First🎉
People can create say a phishing website and generate a qr code for that and scam the ppl right???🤔
you didn’t know this?? 😂