Discover more from hrbrmstr's Daily Drop
Drop #194 (2023-02-07): A Picture Is Worth A Thousand Pings, Pwns, & …Posters?
Prompts, PowerShell, & MS Paint; IPv6 Canvas; 🇺🇸 Frequency Allocation Chart
AI-generated images get far too much attention these days. Sure, they're cleverly built tools, but we humans have been making artsy marks on canvases of all shapes and sizes for thousands of years, and we will continue to do so for, likely, ever.
While images are the theme of today's Drop, that core concept is the only glue holding each section together, as you will soon discover.
Prompts, PowerShell, & MS Paint
I see a surprising number of posts on Mastodon lamenting the lockdowns imposed by IT departments on individual computing devices. I have no doubt contributed to this draconian culture over the past thirty-odd years. As such, I feel compelled to at least link you to some resources that may help end parts of your frustration, if you find yourself in an environment with similar limitations.
Now, it's time for a not-so-seekrit seekrit: cybersecurity has mostly failed you from the very beginning. Sure, vendors tout the efficacy of their bleeding-edge tools at every expo they can plant a booth and some swag in, but their claims just about breakdown the second their tech comes into contact with clever humans.
Rickard Carlsson (@tzusec) is a talented “penetration tester” (yes, most of the titles in cybersecurity are equally childish). "Pentesting" is the practice of taking advantage of inherent flaws in any computer system to achieve some objective. Companies tend to hire pentesters to meet some sort of checkbox compliance initiative, but some hire them to find flaws to take corrective action before non-benign folks decided to do some poking on their own.
In “How To Launch Command Prompt And PowerShell From MS Paint”, Rickard:
…shows you how you can launch a CMD shell and PowerShell with help from Microsoft Paint. Sometimes organisations environments are being locked down and are preventing users from right clicking and opening tools such as cmd.exe or powershell.exe. When I face that during a penetration test I usually try this simple mspaint hack to check if I can get around the organisations defensive measures.
The technique is easily replicated, and tends to work even in organizations with “decent” endpoint protection (as decent as we can get, these days). Please read Rickard's disclaimer before attempting such feats on your own, and — perhaps — poke at a few others of Rickard's articles if this post piques your pwning interests.
While many of us want to eradicate the years 2015-2020 from our collective memories, not everything that happened in the Before Times was horrible. You may recall that, back in 2018, some clever folks set up a physical light display that you could “paint” on by precisely pinging “75 IPv4 Internet’s worth of addresses” in IPv6 internet space.
Sadly, jinglepings resolves and has content, but the livestream of the connected display is busted or nonexistent.
Cameron does a fantastic job explaining the setup, so I'll leave you in their capable hands.
(I went with an old capture of the 2018 holiday display for the section header since this new virtual one had some, er, not so great content on it when I went to capture it.)
🇺🇸 Frequency Allocation Chart
All of us generate and consume radio frequency emissions of some sort every second of our lives. The realm of possible frequencies is dubbed the “spectrum”, and some smart folks knew that said spectrum would need to be managed if it was going to be useful for the benefit of all. Yes, spectrum allocations are abused and bribed away on the reg, but there is absolutely a good faith effort, at least in the U.S., to ensure fair and equitable use of these waves.
Jon Keegan posted a fun and informative piece on one of the ways this spectrum is managed, here in 🇺🇸. The United States Frequency Allocation Chart (featured in the section header image) “illustrates the incredible complexity of managing one of our nation’s most crucial – and invisible – national assets: the radio spectrum.”
Somewhere above you right now, a plane is broadcasting its location, speed and bearing on 1090 MHz. A geostationary weather satellite 22 thousand miles from Earth is transmitting detailed weather maps on 1694.1 MHz. A car driving by your home is transmitting a signal with the pressure readout of one of its tires at 315MHz. A GPS satellite flying overhead at 8,000 miles per hour is pinging a signal to your phone at 1575.42 MHz . A data buoy bobbing in the Atlantic ocean transmits sea temperature, wave height and wind speed readings to a NOAA satellite at 401 MHz. On top of all that, every single mobile device and WiFi router near you blasts out everyones internet traffic through the air rover radio waves. How the hell are all of these signals getting to the right place, intact without stepping all over each other? The answer is a very carefully regulated radio spectrum.
The Federal Communication Commission (FCC) and the National Telecommunications and Information Administration (NTIA) share the task of managing the allotment of radio frequencies for U.S. airwaves. The NTIA manages Federal all radio applications (including military uses), while the FCC manages everything else including state and local government, commercial and amateur radio use.
The airwaves floating across America are sliced up into chunks (some wide, some incredibly narrow) where different services and uses are permitted to broadcast and receive radio signals.
It is an incredibly complex system, and to help with the job of explaining the importance of managing this invisible natural resource, the NTIA publishes this wall chart (which you can order from the Government Printing Office as a poster for a mere $6 with free shipping!).
Jon goes into many more details and provides links to the source data, along with other allocation views. I know there are scads of talented readers who can come up with some super-clever views of their own into the spectrum allocations. Def drop a link to your work if you carve out some time to make some of your own waves.
I'll take this closer space to reiterate the need to be super careful if you decide to dip your toes into the hacking world. ☮