You don’t need to read or agree to a EULA to extract binaries

Impero Software have sent a particularly dickish letter to @TheWack0lian after he raised a security vulnerability (unauthenticated user remote command execution) in their software.

Impero’s entire complaint seems to be that their End User License Agreement (EULA) has been breached. Explicitly stated in the letter is that @TheWack0lian must have agreed to the EULA to mess around with the software. Really?

Letter extract

Let me tell you a secret, Impero and Gateley Plc

If you make your software downloadable (link dead now), you don’t need to run the installer to see what is inside it.

Windows has built in tools that can unpack most MSI files. 7zip deals with the bulk of the rest. For those left, lessmsi will unpack them.

This exactly the route I took after I downloaded Impero’s software – simply unpacked it and started hacking.

Files in MSI

You could have handled this well, instead I know that there are now at least three 0-days out there for the Impero software.

Stop doing client-side password hashing

Right, this has come up enough to write a post about it.

Stop hashing passwords on the client-side and sending the hash in the clear. It is not a substitute for HTTPS!

Here is an example of this being done on the DSC Security website. Go to “Security Professional Login”, and you get a pop-up login box. It looks like JavaScript is involved.

Note that the login page is served over HTTP (not HTTPS). This doesn’t always mean that the login credentials are passed over HTTP though. Sometimes the HTTP form submits to a HTTPS page.

This is still bad from a security perspective as the attacker can deliver you a malignant login form that submits credentials to a server under his control.

Regardless, DSC aren’t doing anything over HTTPS – it’s all HTTP – so it is all sent in the plain. HTTPS is essentially free these days – there is no excuse to not use it.

That said, it appears that someone at DSC has realised that HTTP a bad idea, so they have implemented… a thingy. A thingy that does little to improve security.

Here is the query that they send when I entered test/test:

GET /index.php?o=login&user=test&pwd=098f6bcd4621d373cade4e832627b4f6&remember=yes HTTP/1.1

So that parameter pwd isn’t test. What is it?

Let’s look at the JavaScript powering the site.

function login() {
    el = document.getElementById("lusername");
    el2 = document.getElementById("lpassword");
    el3 = document.getElementById("remember");
    url = "/index.php?o=login&user=" + encode(el.value) + "&pwd=" + md5(el2.value);
    if (el3 && el3.checked)
        url += "&remember=yes";
    if (xmlhttp!=null) {
      xmlhttp.setRequestHeader( "If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT" );
    } else {
        url2 = "/index.php?o=login2&user=" + encode(el.value) + "&pwd=" + md5(el2.value);
        if (el3 && el3.checked)
            url2 += "&remember=yes";

Yes – it’s MD5ing the unsalted password test and submitting the hash.

A passive observer of the traffic can still just sniff a single login and re-use the hash to login to DSC. They don’t need to know the password.

A passive observer could obtain the password by cracking the MD5 hash. Because it is un-salted, the hash of can even be googled to find the password. Salting is essential when using a hash to store passwords.

Even if the attacker couldn’t get the password by passive observation and cracking, they could simply serve up a login page that submits the original password to a server under their control.

This isn’t the first, second, third, fourth or even fifth time I have seen this. It’s useless. Stop doing it!

Note that DSC are also passing sensitive parameters as GET rather than POST. This means that the hash is stored in your URL history, proxies between you and the server etc.




Insecure CSL Dualcom mobile app

CSL Dualcom, the intruder alarm signalling provider, recently released a mobile app. It’s aimed at installers, and appears to allow them to perform site surveys (see signal strength for different networks) and view the status of devices they have installed. The promotional video also shows two pieces of data – ICCID and chip number – that, in my opinion, could be used to clone the CSL Dualcom device.

From promotional video

From promotional video

This is relatively sensitive data so I thought I’d take a quick look at the security measures they have taken in the app.

Unfortunately a number of basic and unforgiveable mistakes have been made.

Using Burp Suite, I proxied the traffic between the iOS app and CSL to see what was happening. I then downloaded the Android APK and viewed it in a decompiler.


Nothing I can see in the traffic or app indicates that HTTPS is used anywhere – it’s all HTTP, albeit on a non-standard port 15136.



This means that all data sent between the app and server is sent in the plain, and can be intercepted or altered by anyone in the middle.

On a mobile app, this is totally unforgiveable, for a number of reasons:

  1. There are no cues to the user that the app is not using HTTPS. A browser makes it pretty clear when a site is using HTTPS. An app doesn’t.
  2. A mobile app can and will be used on unsecured WiFi and untrusted network connections. This massively increases your exposure to attack compared to using a trusted machine on a trusted network.

HTTPS is essentially free these days. The actual certificate is not expensive (and, for a mobile app, you can get away with self-signed and pinned certificates), and the increase in processing power required on the server and client is minimal.

Poor code quality

There are a number of signs that the code quality of the app is not up to scratch.

It sends your IMEI to their servers when it first runs, but the end-point just responds to tell you it’s invalid JSON. So you are sending sensitive information in the clear, but it’s being discarded anyway.

IMEI request

IMEI request

IMEI response

IMEI response

This is really quite sloppy and should have failed testing.

The code has typos in it e.g. IEMI, phon, etc.



Human readable error messages sent as responses end up as nonsense when presented to the user:

This makes sense…


But this makes no sense...

But this makes no sense…


I’ve not even actually logged into the app yet, but the lack of HTTPS should be enough to stop anyone from using this app.

The lack of HTTPS was reported to CSL Dualcom on the 26th June 2015. A review of the Androud app on 28th October 2015 shows that it is using HTTPS, but this has not been checked for further issues.


Subjects don’t need to be preserved in Certificate Signing Requests

I’ve been playing round with certificates, keys and Certificate Signing Requests (CSRs) whilst evaluating the security of an IoT solution.

I’ve had a longstanding misconception around CSRs and I thought I would document it here in case anyone else finds the same issue.

The purpose of a CSR is to request a certificate from a Certificate Authority (CA), where they sign your public key and a number of pieces of data called “subjects”. Normally these subjects, for HTTPS, are related to the domain.

The CSR in question looks like this:

root@kali:~# openssl req -in csr.req -text -noout
Certificate Request:
        Version: 0 (0x0)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption

This has a subject of an email address – and my public key. That whole lot is then signed with my private key. This allows the recipient of the CSR to verify that someone with the private key corresponding to the public key has added the data

I thought the CA then signed the entire CSR, preserving the subject, and hence also my signature. It turns out that they can actually just re-write the subject and sign it – my signature is no longer involved!

Here is an example certificate received back from the CA:

root@kali:~# openssl x509 -in -text -noout
        Version: 3 (0x2)
        Serial Number: 35242 (0x89aa)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DK, O=HackingTeam
            Not Before: Jul  6 03:52:32 2015 GMT
            Not After : Jul  4 01:52:33 2025 GMT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
            X509v3 Authority Key Identifier: 

    Signature Algorithm: sha1WithRSAEncryption

As you can see – there is no notion of my signature in there. The email of has been altered to by the CA. This is because my registered email is

It’s not very important, but I was initially excited when the CA returned a certificate for an email which I wasn’t registered with as it could have led to an interesting vulnerability. It’s important to note that a certificate issued by a CA can be done so without the owner of the public key being aware.


Why dynamic DNS is a bad idea for the Internet of Things

Dynamic DNS has been around for a good while now, allowing users who have dynamic IPs (or even those with static IPs, no DNS, and bad memory) to use a hostname of their dynamic DNS provider to point towards their home IP.

Dynamic DNS makes it easier for a user to connect back to their home IP and interact with devices in their network. It provides a mapping between a constant hostname (e.g. and your IP (

A device on your network (maybe your router, often a specific device) periodically communicates your IP to the dynamic DNS service. The domain name resolution changes as your IP changes. This means that if your IP changes, you can still connect to your home network using the constant hostname.

Simply knowing the IP is not enough – you need to be able to acutally connect to the devices. Normally a home router has a firewall set to reject nearly all incoming traffic. A user needs to punch a hole through the firewall, often using something called port-forwarding.

This exposes a device on your private network to the wider Internet. You are no longer using the security of your router’s firewall, but depending on the security of the device you have exposed.

Devices like IP CCTV cameras, network/digital video recorders, thermostats, and home automation hubs often rely on this combination of port-forwarding and dynamic DNS.

For example, a lot of Swann DVRs recommend you port-forward port 85 from your router back to your DVR. Swann then runs their own dynamic DNS service, which the DVR can be configured to communicate with.

Sounds like a great idea, doesn’t it? Users can easily connect back to their IoT devices from outside their home.

Unfortunately, dynamic DNS, especially when it is provided by deivice manufacturers, is generally a bad idea.


Finding hostnames

Each user that uses dynamic DNS has a unique subdomain – e.g. – try it using nslookup:
Screen Shot 2015-06-04 at 23.01.15

(no, that’s not my own IP)

Now try something that doesn’t exist:

Screen Shot 2015-06-04 at 23.04.53

And you can see we get no response (as long as no-one registers that domain after I publish this…)

We can do this as a bulk operation, using a large wordlist and a tool called subbrute. This tool is commonly used during the discovery phase of a pen test to find new hosts. Subbrute uses a wide array of DNS servers rather than just your own one, allowing it run quicker and with lower risk of rate limiting.

It’s important to note that the operator of is highly unlikely to notice someone brute-forcing sub-domains like this. They might see a slightly higher rate than average of lookups as new DNS servers end up having to make recursive requests for their authoritive records. But the attacker’s IP will remain entirely hidden. The dynamic DNS users will see nothing at all from this attack.

The wordlist required for this application differs to a typical host wordlist. We don’t want to find ftp, dev1, vpn, etc. We want to find optus, redrover, zion, pchome, concordia. These are closer to usernames than normal hostnames. I used a custom list of usernames and hostnames built up over the last few years for this, but other sources like fuzzdb and SecLists are good starting points.

Running subbrute against quickly got me a list of 2401 valid hostnames. I’m sure a longer wordlist would reveal more hostnames, but 2401 is enough for this.

Scanning hosts for webservices

Given that is intended to be used by people who own Swann products, I though I would concentrate on ports that Swann products commonly use. This includes the typical port 80 (HTTP), port 443 (HTTPS), but also 85 (a lot of Swann products run HTTP on this port).

Let’s fire up nmap:

nmap -vv -Pn -iL swann_hosts.txt -T5 -p80,85,443 --open -oA nmap_swann | tee nmap_swann.txt
  •  -vv – verbose output
  • -Pn – don’t ping check host first
  • -iL swann_hosts.txt – take this file as the input
  • -T5 – scan fast
  • -p80,85,443 – scan ports 80, 85 and 443
  • –open – only show open ports
  • -oA nmap_swann – output in greppable, nmap and xml files
  • tee nmap_swann.txt – console to a text file

This scan will run quickly – we are only trying three ports on (mainly) consumer routers, so there is little risk of anything clamming up with the fast scan.

After this, we have 335 hosts running something on one of these three ports. That’s a lot of hosts to check manually. I won’t post the results here as it is likely transient.

Screengrabbing hosts

Luckily there is a tool that is designed to take a list of hosts/services and grab a screenshot of each one. It’s called peepingtom. It uses a library called PhantomJS to render the webpages, save a screenshot and the source, and present it in a nice HTML file. It also works with nmap output files.

At the moment, there are no binaries available for PhantomJS, so you will need to build it yourself under Linux. This takes quite a while.

Running peepingtom is very simple, but it doesn’t, by default, treat port 85 as HTTP. We need to edit the file. In the function parseNmap, add 85 to the http_ports:
Screen Shot 2015-06-05 at 09.21.46

Now we run peepingtom:

./ -x nmap_swann.xml

It will take quite a while to run. Peepingtom won’t do anything complex with JavaScript, redirects, Flash etc. so some of the results will be basic, but it’s easy enough to confirm the interesting results in a browser.

What do we find?

Lots of IIS, generally vulnerable to MS15-034 (27/335 hosts running IIS, 21 vulnerable). I guess people into DVRs like tinkering with IT and forgetting about what they are running.


Lots of DVRs, which may (or may not) use default (or no) credentials.



Some IP cameras:


Lots and lots of modems and routers, some with no login credentials at all.

In fact, it looks like about 85 hosts are running DVRs, and about 30 of these have an easy to exploit vulnerability that I found a few months back (responsible disclosure ongoing…) that results in root access to a fairly powerful embedded Linux box.

Scanning hosts for other typically insecure services

Going back for another nmap scan, this time on 21 (FTP), 22 (SSH), 23 (Telnet) and 25 (SMTP), we find even more hosts running services. Telnet is very popular.


So what is the issue here?

Dynamic DNS gives me a very easy way of identifying hosts that run multiple, likely insecure services/devices including those made by specific manufacturers.

These IoT devices nearly always have some vulnerabilities and very rarely receive any firmware updates to fix them.

It’s like a big flag shouting “hack me”!

I could take over 30 DVRs just from this small amount of work and use them for whatever I want.

It would take me much longer to scan the entire IPv4 address space to find these specific devices.

What’s the solution? Stop relying on port-forwarding to allow connectivity to your devices. If you need to, make them secure and don’t allow default credentials!


MintDNS dynamic DNS software – multiple vulnerabilities

MintDNS is a piece of software used to provide dynamic DNS services. It runs under Windows, and I can find ~50 different CCTV/NVR providers using it.

I’ve only had a very quick check of this piece of software, but it appears to suffer from multiple, fairly serious, vulnerabilities.

User input validation is performed client side

There are a number of checks on things like password length done client side. These can easily be bypassed by setting values directly in requests. For example, custom security questions can be set, and empty passwords.

Passwords stored in the plain

The database stores passwords, encoded as base64, in the Admin and Users tables:

Users table

Users table

Admin table

Admin table

dGVzdHBhc3M= is “testpass”

It is not advised or forgiveable to store passwords in the plain anymore.

Passwords stored in the plain in a cookie

When logging in, the base64 password is stored in the plain in a cookie.

HTTP/1.1 302 Found
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /devices.aspx
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie:; expires=Fri, 05-Jun-2015 14:25:24 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 04 Jun 2015 14:25:24 GMT
Content-Length: 132

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2fdevices.aspx">here</a>.</h2>

There really is no excuse for this either. This is what session tokens are for.

Password check from cookie is case-insensitive

Each time a page is viewed, the password is checked from the cookie. Because the database stores the password in base64 and the cookie is in base64, they are directly compared.

However, this is done in SQL which is by default case-insensitive.

This means that the base64 string of dGVzdHBhc3M= (testpass) is just as valid as DgvZDhbHC3m= or any of the other variations.

No password brute-force protection on cookie

Whilst the login form has brute-force protection (“FloodCheck”), the cookie doesn’t have any brute-force protection. You can just chug through passwords as quickly as you like.

Brute-force cookie password - long response indicates success

Brute-force cookie password – long response indicates success

A lack of brute-force protection is common on cookie values, but usually the token is a lengthy session token with enough entropy to mean this is not an issue.

Password reset is insecure

On attempting to reset a password, the first step is to provide the email address.

Once this is done, you are presented with a security question:
Security question

This has no brute-force protection in the form of lockout or captcha, so off we go with a brute-force attack – against something that has a lot lower entropy than a password. I’d wager that a list of 100 common foods, 100 common cities and common phone number formats would yield a vast majority of accounts.

But when we get the question right, how does it deal with it?

Cookie with original password

That’s right! It puts the original password into the cookie, base64 encoded!


I stopped looking at this point. MintDNS has enough issues that I wouldn’t use it. Reviewing the .aspx files indicate to me that the development is ad-hoc and a bit naive. The website doesn’t really indicate that the software has been updated in the last 5 years.

I found a couple of instances where user input was reflected back in the response, but there are basic XSS checks combined with the IIS/ASP checks, so it did not appear to be exploitable.

Interesting Shodan searches: PIP technologies ANPR cameras

Again, browsing telnet, I see the word “ANPR” – Automatic Number Plate Recognition.

Most of these say “P372” and a Shodan search for that delivers the goods. The telnet prompt shows us P372, but nearly all of these also have HTTP open as well.

It’s safe to say a lot of these don’t have any authentication on telnet or HTTP.

Their default mechanism to report plates is by FTPing the data to a central server. The FTP server IP and credentials can be viewed through the configuration interface. The manual recommends that this FTP acount has read and write permissions using MS FTP, so once you have these credentials, it is likely you can tamper or upload fake records – and not just for this single camera, but likely any in the network. The manual also uses the example “ftp_boot” for both user and pass, and it seems a lot of people have taken this literally.

Credentials blanked by me

Credentials blanked by me

These ANPR cameras are used by local authorities and governments.


Who is to blame here?

I think the mnaufacturer should make the system impossible to configure this badly, and provide a default configuration and documentation that prevents this kind of stuff.

But whoever installed these also needs to bear some responsibility. If I get a boiler fitted, I expect the installer to know what each pipe and wire does, and not just hide the ones he doesn’t understand…

It looks like Darius Freamon has already found this.

Interesting Shodan searches: Dedicated Micros DVRs

This one was found just browing “port:23 country:GB” results.

It appears that SD Advanced DVRs don’t always require a username and password to get into them  – “SD Advanced Closed IPTV -usernameScreen Shot 2015-05-16 at 10.47.45 Screen Shot 2015-05-16 at 10.47.31

Yeah. Let’s look at the manuals.
Screen Shot 2015-05-16 at 16.28.54

So that’s no username or password by default.

Screen Shot 2015-05-16 at 16.30.23

And an ini file with credentials of other devices. Great!

At least the manual doesn’t explicitly recommend you setup portfowarding as well…

It seems it’s not just this line made by Dedicated Micros – Ecosense does it as well. In fact, it’s pretty much every one they seem to make. 459 open DVRs in the UK alone.

Interesting Shodan searches: Moxa ethernet->serial bridges

I’ve noticed, whilst sat on the train, an AP called “MOXA”. A quick google shows that these guys are in the “industrial IoT” market. I suspect they have something to do with the CCTV on the train.

Off to Shodan for a search, limited to port 80.

~90 devices come back, nearly all MiiNePort E2. Very few have authentication turned on, many that do are using default credentials.

Screen Shot 2015-04-30 at 18.45.50

A quick glance through the user guide shows that there is a disturbingly easy to trigger reset process:

Screen Shot 2015-04-30 at 18.47.31

Also, there appears to be a utility called NPort which is used for discovering devices. It wouldn’t be the first time that a discovery protocol has been the downfall of one of these bridges.