Last week I was working on a social engineering engagement that included pretext phone calls, email phishing, and USB drops. I had to build payloads for the phishing email attachments and USB drops. This engagement was standalone, and therefore was not supporting other testing efforts like an internal pentest. Therefore, the payloads didn’t have to do anything fancy. I just needed proof that they were executed. Ideally, I wanted to collect the following information with each execution:

Introduction I’m taking Offensive Security’s PEN-401 course this summer in an attempt to earn my OSEE certification. It’s the most difficult and most technical course they currently offer. I really enjoyed earning my OSCE and OSED certifications through them and I figured some day I would make an attempt at the OSEE. I wasn’t expecting to go for it in 2022, but they reached out to me with an available spot and I couldn’t pass up the chance.

Aha! I think I figured something out. I did some web searching to see if I could figure out how to identify the firmware entry point address. I found a StackExchange post that mentioned something called a “reset vector”. It sounds like a reset vector is a pointer that the CPU looks at to tell it where to begin program execution. The reset vector location is CPU-specific. I went back to the Motorola datasheet and searched for information about reset vectors.

After having dumped the firmware for my Kantronics KPC 9612+ TNC, my next thought was to try and disassemble this code with IDA Pro, however it turns out IDA Pro free edition doesn’t support this architecture. I’m not excited enough about this project to go spend the money on a professional license. Next I tried Ghidra. I hadn’t used Ghidra before, but it seemed like a good time to test it out.

After working on my WinAPRS exploits, I had a thought that my ham radio TNC (radio modem) could have vulnerabilities built right into the TNC itself. I have a Kantronics KPC 9612+ TNC. I think it originally was released sometime in the 1990’s and was finally discontinued in 2020 for a newer model. Mine still works just fine, though. The TNC runs its own little operating system that supports decoding different kinds of packet data.