DVID - Fix images

pull/1/head
Swissky 2019-12-26 20:36:18 +01:00
parent 31d65d8e6c
commit 3e3c4cb785
1 changed files with 26 additions and 28 deletions

View File

@ -5,7 +5,7 @@ title: DVID - Damn Vulnerable IoT Device
## DVID - Damn Vulnerable IoT Device
Who ever wanted to learn about Hardware Hacking ? I found this small opensource **IoT hacking** learning board while I was in a security event. I is designed by [@vulcainreo](https://twitter.com/vulcainreo/) and cost around 45€, more than 300 units were shipped around the world.
Who ever wanted to learn about Hardware Hacking ? I found this small opensource **IoT hacking** learning board while I was in a security event. It is designed by [@vulcainreo](https://twitter.com/vulcainreo/) and cost around 45€, more than 300 units were shipped around the world.
Let's dig into this awesome project and clone the git : `https://github.com/Vulcainreo/DVID.git` !
@ -22,7 +22,7 @@ Let's dig into this awesome project and clone the git : `https://github.com/Vulc
First we need to push the correct firmware to start playing with the device, the LED will blink.
```powershell
{% highlight python%}
$ sudo avrdude -c usbasp -p m328p -U flash:w:findTheDatasheet.ino.arduino_standard.hex
avrdude: warning: cannot set sck period. please check for usbasp firmware update.
@ -40,11 +40,11 @@ avrdude: input file findTheDatasheet.ino.arduino_standard.hex auto detected as I
avrdude: writing flash (14346 bytes):
Writing | ######################## | 48% 7.14s
```
{% endhighlight %}
We are asked to connect RX to the PD1 pin to get the password, we need to check the Datasheet to know where is the PD1 pin.
![RXfind]({{ site.baseurl }}/images/rx_finddatasheet.jpg "RXfind"){: .center-image }
![RXfind]({{ site.baseurl }}/images/DVID/rx_finddatasheet.jpg "RXfind"){: .center-image }
The board is using an ATmega328, let's check the pinout from Wikipedia : https://en.wikipedia.org/wiki/ATmega328, we see PD1 is linked to UART TXD pin.
@ -52,12 +52,12 @@ The board is using an ATmega328, let's check the pinout from Wikipedia : https:/
Using the Gerber file **Gerber_BottomLayer.GBL** provided in the github we can also see the PD1 pin is linked to Soft Flash TX, I used http://www.gerber-viewer.com to display the file.
![GerberViewer]({{ site.baseurl }}/images/GerberViewerPD1bis.png "GerberViewer"){: .center-image }
![GerberViewer]({{ site.baseurl }}/images/DVID/GerberViewerPD1bis.png "GerberViewer"){: .center-image }
A simple wiring to the UART port is enough to connect the DVID to my Kali Linux VM, we can then access i
t through **/dev/ttyUSB0**. We can check our VM logs using **dmesg** command.
```powershell
{% highlight bash%}
$ sudo dmesg -w
[10691.448743] usb 3-3.1: new full-speed USB device number 8 using xhci_hcd
[10691.770954] usb 3-3.1: New USB device found, idVendor=10c4, idProduct=ea60, bcdDevice= 1.00
@ -71,11 +71,11 @@ $ sudo dmesg -w
[10691.835539] usbserial: USB Serial support registered for cp210x
[10691.835560] cp210x 3-3.1:1.0: cp210x converter detected
[10691.839533] usb 3-3.1: cp210x converter now attached to ttyUSB0
```
{% endhighlight %}
From there we only need to read the output with Python or with `minicom -b 9600 -o -D /dev/ttyUSB0` (use Ctrl A + X to exit).
```python
{% highlight python%}
$ python2
Python 2.7.17 (default, Oct 19 2019, 23:36:22)
[GCC 9.2.1 20191008] on linux2
@ -87,9 +87,9 @@ Type "help", "copyright", "credits" or "license" for more information.
>>> read = ser.readline().decode('utf-8')
>>> print(read)
D***[...]******
```
{% endhighlight %}
![Minicom]({{ site.baseurl }}/images/minicom_finddatasheet.png "Minicom"){: .center-image }
![Minicom]({{ site.baseurl }}/images/DVID/minicom_finddatasheet.png "Minicom"){: .center-image }
### Firmware - Default Password
@ -100,16 +100,16 @@ Once again we push the firmware : `sudo avrdude -c usbasp -p m328p -U flash:w:de
Since the challenge is to find a default password, we will connect to the debug interface (UART) of the DVID and try to interact with it. First we need to wire it correctly, remember to pair RX with TX and TX with RX, and do NOT plug the USB if you wire the 5v pin ;)
```powershell
{% highlight bash%}
VCC <---> VCC
RX <---> TX
TX <---> RX
GND <---> GND
```
{% endhighlight %}
Using the code from the last challenge we can write a simple script to interact with the device /dev/ttyUSB0. We will iterate over the john wordlist to bruteforce the service until it responds with "ok" instead of "ko".
```python
{% highlight python%}
import serial, time
port = "/dev/ttyUSB0"
baud = 9600
@ -126,11 +126,11 @@ with open('/usr/share/john/password.lst', 'r') as f:
print("Sent {} bytes".format(res))
print("Result: {}".format(s.readline()))
time.sleep(3)
```
{% endhighlight %}
And we got it ! Obviously the password is hidden, real one is available [here](https://www.youtube.com/watch?v=SCaAetNzXIc) :D
![DefaultPasswd]({{ site.baseurl }}/images/defaultpasswd.jpg "DefaultPasswd"){: .center-image }
![DefaultPasswd]({{ site.baseurl }}/images/DVID/defaultpasswd.jpg "DefaultPasswd"){: .center-image }
### Firmware - Hardcoded Password
@ -141,7 +141,7 @@ We push the firmware with `sudo avrdude -c usbasp -p m328p -U flash:w:hardcoded
Now we will dump the previously sent firmware, we could just analyse the **hardcodedPassword.ino.arduino_standard.hex** file but it is not realistic.
```powershell
{% highlight python%}
$ sudo avrdude -c usbasp -p m328p -F -U flash:r:dump.hex:i
avrdude: warning: cannot set sck period. please check for usbasp firmware update.
avrdude: AVR device initialized and ready to accept instructions
@ -154,14 +154,14 @@ Reading | ################################################## | 100% 17.15s
avrdude: writing output file "dump.hex"
avrdude: safemode: Fuses OK (E:FF, H:D9, L:E2)
avrdude done. Thank you.
```
{% endhighlight %}
Now we have a file **dump.hex** containing the current firmware, let's convert it to binary with `avr-objcopy -I ihex -O elf32-avr dump.hex dump.elf`.
we could also dump the firmware as raw binary with `sudo avrdude -c usbasp -p m328p -F -U flash:r:dump.raw:r`.
From these dumps we can make a wordlist of every strings in there, then we will try to bruteforce the service by sending everyone of them.
```powershell
{% highlight bash%}
$ strings dump.elf -n 10 | tee passwords.lst
>[O[>>kOk>
rIIIF!AIM3
@ -182,11 +182,11 @@ T03 Hard.Pass.
I have confidential message. Pass ?
Wrong password
Well done! Message :
```
{% endhighlight %}
We can reuse the last challenge script, this time we have to remove the `s.readline()` line since we are blindly attacking the service. Nothing will be outputted on the serial port in case of a good password, we need to pay attention to the screen, fortunately the password is in our small list of 15 passwords.
```python
{% highlight python%}
import serial, time
port = "/dev/ttyUSB0"
baud = 9600
@ -201,11 +201,11 @@ with open('passwords.lst', 'r') as f:
print("Pwd: {}".format(pwd.strip()))
print("Sent {} bytes".format(a))
time.sleep(10)
```
{% endhighlight %}
The `time.sleep(10)` is very important, we don't want to flood the board with too many passwords !
![HardPasswd]({{ site.baseurl }}/images/hardcodedpasswd.jpg "HardPasswd"){: .center-image }
![HardPasswd]({{ site.baseurl }}/images/DVID/hardcodedpasswd.jpg "HardPasswd"){: .center-image }
### Bluetooth - Advertising
@ -217,7 +217,6 @@ The `time.sleep(10)` is very important, we don't want to flood the board with to
I had to setup my virtual machine correctly to use the Bluetooth dongle provided with the DVID, the following commands were enough to get it running. However I later discovered the BLE was not working as it should be...
{% highlight bash%}
```powershell
$ systemctl enable bluetooth
$ sudo systemctl restart bluetooth
@ -233,14 +232,13 @@ Discovery started
[CHG] Device 38:18:4C:YY:YY:YY RSSI: 127
[CHG] Device 38:18:4C:YY:YY:YY Name: WH-1000XM3
Here the DVID should have appeared ...
```
{% endhighlight %}
NOTE: from there I switched to my Phone and the application [NRF Connect](https://play.google.com/store/apps/details?id=no.nordicsemi.android.mcp&hl=en_US). In order to get the flag we have to send the bluetooth name through the serial port.
![BLEName]({{ site.baseurl }}/images/blename.jpg "BLEName"){: .center-image }
![BLEName]({{ site.baseurl }}/images/DVID/blename.jpg "BLEName"){: .center-image }
```python
{% highlight python%}
import serial, time
port = "/dev/ttyUSB0"
baud = 9600
@ -250,6 +248,6 @@ pwd = "dvid-redacted"
res = s.write(pwd.strip())
print("Pwd: {}".format(pwd.strip()))
time.sleep(3)
```
{% endhighlight %}
![BLEAdvert]({{ site.baseurl }}/images/bleadvertising.jpg "BLEAdvert"){: .center-image }
![BLEAdvert]({{ site.baseurl }}/images/DVID/bleadvertising.jpg "BLEAdvert"){: .center-image }