Hacktivity 2013: Hacking CCTV systems

Video in TIB AV-Portal: Hacktivity 2013: Hacking CCTV systems

Formal Metadata

Hacktivity 2013: Hacking CCTV systems
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
CCTV systems are in their prime today, and are used all over the world. These systems however can lead to a false sense of security. Most of them use proprietary software, which has not been adequately tested for security vulnerabilities. I will demonstrate this by reverse engineering the firmware, and will use that information to gain root access to the security system remotely. (This will be a demo with an Identivision DVR, and will cover the process all the way from first analizing the security equipment, to reverse engineering the firmware, using the information found to gain remote access to the system. Then I will show some things that can be done, once root access is gained.) I will also explain some of the most common security mistakes that manufacturers and users make with these security systems. I hope to give a general awareness about using their use, and the risks involved.

Related Material

Link (knot theory) Digital electronics Demo (music) Point (geometry) Term (mathematics) Broadcasting (networking) Software Insertion loss Personal digital assistant Analogy System programming Speech synthesis System programming Utility software Videoconferencing Descriptive statistics
Metropolitan area network Slide rule Wechselseitige Information Firewall (computing) Magneto-optical drive Maxima and minima Analogy Arm Digital video recorder Internetworking Digitale Videotechnik System programming Router (computing) Modem
Metropolitan area network Multiplication sign Analogy Computer network Bit Mathematical analysis Port scanner Power (physics) Medical imaging Internetworking Password System programming System programming Data structure Firmware Modem Row (database) Identity management Reverse engineering
Metropolitan area network Functional (mathematics) System administrator Set (mathematics) Menu (computing) DDR SDRAM Password System programming Set (mathematics) Videoconferencing System programming Arithmetic logic unit Row (database)
User interface Web page Touchscreen Structural load Multiplication sign Computer network Mathematical analysis Web browser Mereology IP address Web 2.0 Graphical user interface 4 (number) DDR SDRAM Googol Password System programming Right angle Error message
Message passing Functional (mathematics) Level of measurement Multiplication sign System programming System programming Error message
Metropolitan area network Graphical user interface Forcing (mathematics) System programming Mathematical analysis Menu (computing)
User interface Metropolitan area network Service (economics) Remote administration Mapping Multiplication sign Arm Frequency Vector space Password String (computer science) System programming Chromosomal crossover Reduction of order Selectivity (electronic) Booting Resultant Chi-squared distribution
Web page Metropolitan area network Default (computer science) Functional (mathematics) Information Machine vision Set (mathematics) Bit Storage area network Element (mathematics) Revision control DDR SDRAM Password Factory (trading post) System programming Website Procedural programming Gamma function Firmware
Group action Multiplication sign Function (mathematics) Open set Mereology Unruh effect Medical imaging Invariant (mathematics) Semiconductor memory Different (Kate Ryan album) Core dump File system Software framework Extension (kinesiology) Data compression Metropolitan area network Email Trail Information systems Sound effect Bit Type theory Delay differential equation Arithmetic mean Hexagon Telnet System programming output Right angle Quicksort Reverse engineering Web page Software engineering Slide rule Identifiability Computer file Flash memory Letterpress printing Maxima and minima Discrete element method Binary file Value-added network Mach's principle Internetworking String (computer science) Computer hardware Booting Information Graphical user interface Loop (music) DDR SDRAM File archiver Routing
Metropolitan area network Group action Computer file Content (media) Complete metric space Heegaard splitting Hash function Personal digital assistant Password System programming System programming Right angle Acoustic shadow Gamma function Router (computing) Firmware
Metropolitan area network Multiplication Sine Freeware Thread (computing) Weight Electronic mailing list Computer programming 2 (number) Twitter Root Hash function Password System programming Normal (geometry) Software cracking Software testing Gamma function Computer-assisted translation Routing Window
Metropolitan area network Email Trail Multiplication sign Weight 2 (number) Hash function Root Password System programming Website System programming Software cracking Gamma function Firmware Routing
Point (geometry) Software engineering Randomization Functional (mathematics) Greatest element Computer file Multiplication sign Execution unit Maxima and minima Binary file Arm Theory Number Mach's principle Medical imaging Mathematics Root Semiconductor memory String (computer science) System programming Software framework Data structure Firmware Metropolitan area network Email Trail Information Inheritance (object-oriented programming) Random walk Software developer Data storage device Directory service System call Digital video recorder Uniform resource locator Process (computing) Password System programming Reverse engineering
DDR SDRAM Password Multiplication sign System programming Hard disk drive System programming Right angle
Metropolitan area network Computer file Maxima and minima Counting Menu (computing) Directory service Digital video recorder Web 2.0 Mathematics Hash function DDR SDRAM Password System programming System programming Right angle Electronic visual display Reading (process) Writing
Default (computer science) Computer file Multiplication sign Password Maxima and minima Set (mathematics) Menu (computing) Graph coloring Arm Goodness of fit Password String (computer science) Factory (trading post) System programming Right angle Digital Equipment Corporation
Demon Point (geometry) Functional (mathematics) Computer file Similarity (geometry) Login Mereology Product (business) Root Different (Kate Ryan album) Videoconferencing Software framework Gamma function Firmware Information security Identity management Metropolitan area network Content (media) Menu (computing) Database Digital video recorder DDR SDRAM Telnet Function (mathematics) Password Factory (trading post) System programming Hard disk drive output System identification Routing Reverse engineering
Metropolitan area network Multiplication sign Value-added network Optical disc drive Arithmetic mean Software Hacker (term) System programming Video game Energy level System programming Medizinische Informatik Quicksort Information security
Trail Maxima and minima Set (mathematics) Discrete element method Element (mathematics) Root Computer hardware Gastropod shell System programming Medizinische Informatik Data conversion Gamma function Firmware Vulnerability (computing) Metropolitan area network Trail Arithmetic mean Hash function Password System programming Hard disk drive Pattern language Whiteboard Routing Reading (process) Reverse engineering Spacetime
Scripting language Metropolitan area network Default (computer science) Trail Computer file Code Multiplication sign Binary code Directory service Mereology Hand fan Revision control Backtracking Process (computing) Hash function String (computer science) System programming Gastropod shell Website Medizinische Informatik PRINCE2 Firmware Routing Reverse engineering
Metropolitan area network Wallpaper group Multiplication sign View (database) System programming Gamma function Window Storage area network Reverse engineering Number
Metropolitan area network Slide rule Link (knot theory) Multiplication sign Point (geometry) Computer-generated imagery Password Analogy Computer network Mathematical analysis Term (mathematics) Broadcasting (networking) Internetworking System programming Videoconferencing Website Reverse engineering Curve fitting Modem Chi-squared distribution Firmware
hello my name is much and studying at Budapest University of Technology and Economics and I'm going to be in a speech on packing CCTV systems you're already seen lots of fun have to do lots of demos and everything gonna work great so 1st let's the what is CCTV exactly duty is closed circuit television and utilized description by Wikipedia but
CCTV is basically security cameras at least in our case so security cameras and their networks so here I have my own and I analog cameras which you can see
here there are so many happy people and this is hooked up to do the digital video recorder which is what we're on now probably this all the
more familiar yeah lecture slide
show so which is the digital video
recorder but it's important to note that the same can be done with the IP cameras very similar structures so this is our target today the identities and are but 1st we start with story of how I got into hacking CCTV systems and what my dad works in our company which buys and sells CCTV systems alarms and he brought me home 1 day assigned image into your what I have here and I remember I spent many sleepless nights on and will basically but holy said and so we forgot the password and you're going to have to hack so I got right to it and I started reverse-engineering the firmware and everything and then he had really great idea said I wanted to Trent password 1 2 3 4 5 and amazingly enough it worked wide that's a very secure password the news all the time and the the funny thing is 99 per cent of these 2 yards which I have recovered passwords from have used the password 1 2 3 4 5 4 5 4 3 2 1 which is just a little bit more secure so already done time let's check out the basic usage of this the and then double check out a network analysis with an so also due to the yard and can the picture from the
camera and let's see what we can do while here we have a lot in and if the password is not 0 then it's usually and so 1 2
3 4 5 my secure password so what can we do with this well the main function is DDR actually record on the video and the Advanced Settings you can check out the user's so we have a basic admin account and yet he is the 1 of 1 2 3 4 5 and then we have guessed DeVault which are basically not really good for anything but they use them and this is about all this documented so this is what people use this system
and they have a Web interface for this whole thing so far to open a web browser and typing the idea at the IP addresses this DDR and then I can have access to a nice little love web graphical user interface of course if it loads yet
is OK so worried about the same screen and the password is the same so we can log in and we can check out this nice page we can view the camera the free running which time yes and I have to start off with my favorite part then we found that interesting body of work feature somewhat college in the web user interface which basically consists of if you don't know password but say we don't know that passes 1 2 3 4 5 let's try activity as the password it got throwback error saying sorry wrong password again astronomy and and you password right 2nd time nobody started the time still on the 4th time standard that I started with
1 of the 6 fine with things that happen who thinks the same things that happen to have the same thing in same message can put things back here who thinks that I'm going along immediately some by some amazing magic you while you were
right to back again OK what about this and Time with things that we have here and who things and then again error exactly the same as that did so far and the popular again who thinks I'm magically log into the system I do who so by the feature I don't know but that's a great way to organize the and yeah the funny thing about this those that it doesn't work like you can log but if I try to be the camera as it won't let me so basically is not really good for anything unfortunately although I never tried the PTC functions from moving the camera the camera is important cannot be moved but there are certain cameras which can be rotated the zooming everything maybe that works but I cannot see them picture from the device anyway maybe this is a honeypot ordinal but it's something very interesting and I found anyway
let's then do simple analysis with Zen because we like graphical user interfaces insulin intense stand and check out what it gives us by the way the documentation for this are basically only talks about of the graphical user interface which is built into the device actually the device and that the scanning of
switch to this device has a nice mental feature for which works against the brute force so the log out
and long back in animal password but said try the empty string a few times know unfortunately 7 times or care hail carried him again and I and I found that I find the money can and there's actually a activates all the alarms and this selection 7 times so this might be some crossover the web user interface and if that the account has been blocked so if I try logging this password you can again for the the along the middle of the the right half of you called what's which vector and the catering service can so will have results soon we can already see right here that port 23 5 5 is open it we port 80 is open because that's when the web user interface but was work 23 knowing I didn't see that documented anywhere and when service has finished just check back as you don't know how
long it walks it for IG distributed and work what we can check again and she they from my so remote control for which doesn't work without battery for some strange reason behavior has the little work on this thing it's only after reboots had it works or maybe after a longer period of time but will reduce animal check and map is almost finished its service can switch to
another plea
what's running on this device so if it is somehow extract the information from the firmware techniques for this device then maybe I can find some information on how to log into that talent to reset the passive 1 2 3 4 5 because very forgotten so the funny thing is that on their website if you go to the idea of vision website at least I couldn't find any firmware updates but you have a Hungarian company called LDS and which is selling these devices and they had a web page where download all firmware upgrades so I downloaded if you I'm working with a little bit older version of firmware because that's were tested on but this is pretty much works for the newest firmware as well what I'm about to show you doesn't just work on this device the scary thing is it works on 99 % of the devices so this whole talent function is something that they really like doing and I'll tell you why so let's say I forget the password for this device what I do for example using the feeling rather stuff about the passive for this whole idea come out probably press the reset button on back or someone who remembers possible try 1 2 3 4 5 but the recent but it will probably fix it because you reset the default factory settings however this DDR does not have a reset button as much as I tried to find it it's not there why and because if you forget your password why would you want is we set yourself when you compare a bunch of money for other people to do it so the basic procedure for reasoning pastoralists if you forget to send it back to the company pay them money to login via Telnet with a password that they already know but we don't know and yet list and that they will reset your password for you but I wanna do that 1 reason it myself the elements should finished by now and yes is done anyway here
the ports and that there is a BusyBox Telnet
daemon running on port 23 so that's all confirmed
now let's get to the fun part
reverse-engineering from work and this probably a page of my slides for that the rest of my slide basically this is done on demand and also alright that's that's the
framework of so I downloaded from where was the former look like like this it's a binary file and not much to do with it you basically uploaded onto the device and it flashes itself so let's see what this binary file is beginning to realize tool called it and and it tells us that this is binary file actually basically just zip archive data so we don't need to be scared by that . been file extension could basically just be renamed 2 . 0 and the same thing so on well unless you don't have to rename it we can just unzip it like this and here with files these are what is it you custom X crown fs . 1 mg and some other stuff you file which calls called installed which is just a text so let's print that out and see what it is OK so they're other great commands telling them DDR to burn this to the flash this is basic this commands for nothing really interesting in here except here's a hardware identifier vendor general but gives us a lot of information about so let's see these other files so there's 1 2 3 4 image files on here low x actually contains a little very surprising so that's not of much use to just let's check out the wrong FS does that sound like it would be something interesting and you it's important to know if this framework has been encrypted with something or compressed with something we can run strains on action 1st from file on it to see what this is so tells us here at this is the you would PPC route image now if outside search the internet for this and try to mounted and after hours and hours of trying it in I could get it to work and I wonder why because someone strings on it strong getting a bunch of weird stuff so basically nothing readable but after searching for for a long time on the internet for 1st socially guys the way I did it took me about 2 days and after the proper way to do it you know what is going to be doing this sensible move fast enough so on on by searching online I found a website talking about these u-boot PPC images and it was about hacking flash this sort of memory something anyway it said that this you boot which was identified by file so this you PPC image is actually a compressed image with 64 bytes of header in the beginning and we can actually check this with a hex dump so we can see in the beginning see all of this is the magic files I don't know it but here this 1st 64 bytes of what data is basically just the header and then comes the compressed wrong so if we can get rid of the 64 bytes of header that we should be able to mount it with no problem because right now for effect right amount this image but a lesser amount this image to happens OK get so what device mean amount minus a loop I must 1st specify the fastest and type OK let's not do this let's instead remove the 64 bytes of header at the beginning of this file will use DDE for this named the input file which is run on a fast all its name output file which is gonna be just simply run a fast backwards and then let's tell it to skip the 1st 64 bytes of data OK so this basically skip the 1st 64 bytes of the passing at all bit by bit by bit by actually and status that out of little file without that bothering 64 bytes of data at the beginning so now through file on it on the same in this run a fast start out which is based in the same file just with the 1st 64 bytes of header stripped off then we get a Linux compress wrong file system data it's a completely different image file now and luckily for us we can mount this OK which is mounted at let's say check out a looks like this article on are mentioned in the green you can see but the can opener can open up here in graphical interface you can see a better so we mounted at here and this is what it looks like
we dismounted this file and it looks like a pretty complete Linux system to me and if we know where to look we can find interesting files and then we can display their content and we can find a password hashing and the interesting thing about embedded systems built is usually most Linux is these days from if you will then this pacifier you would not find a hash here something like yeah that's right shadow well embedded Linux unfortunately there's no much about shadow because they not implemented very much at least not in the system's action check a think that we are t which is for embedded Linux for firmware for the routers only just started using shadows far as I know but correct me if I'm wrong but anyway in our case we have a cool half year which is not shadows and this is a simple best fast but if we don't know what kind of passion is and we can
always just do it to John you'll tell us so splitting John action gonna put the entire line into
John but here it is has
1st and then we're run John windows OK let's run running just normal John Dickinson run John and which is basically the same thing except the cracks in multiple threads which makes it work a lot faster usually so you just have to specify the hash list for it and that it the whole command Johnny xt hospice visited and it will tell me only 1 password has traditional tests 128 so here we can find out that this is actually a death now if you were to let John practice if you would probably practice around 3 hours and this amount of which is not so good but on it as crack at after well however if you would use some of the program for example hash cats for me Captain around 17 seconds will that fast anyway another crack in our sins are attractive home but attracted and got really cool password which looks like this and I was actually thinking about whether to show the root password not and I search for this exact password on the net and about Twitter posts on posting itself journey out there and that so it's actually nothing new anyway this is a cool root password let's try logging in with it and see what happens the and without the user name from here route so that that's the striving again who thinks and then London immediately have who things banners a pop who thinks is going to give me now we're saying you're not authenticated books so were and where route we basically just packed into the device without knowing password
hash site of the non password
extracted from hash which we
got from the firmware and then take us a long time to do that and
will still has spent 17 seconds cracks the has without the password hash so it was pretty easy do and now that were in route we can take a look around the system now looks pretty much like the from where we took apart and I'll show you how to do that in a couple minutes I'll show you what to do what you can do inside here with root the 1st let's check out
another say I didn't I didn't know
that the header was exactly 64 bytes because no 1 picked up on the net and the yeah how would I guess that was
really awesome tool for that in fact that really awesome tools that automate this entire process for me let's switch back to our home directory go back into the framework OK so here all the stuff I extracted mandatory really cool tool called been walks if we run this on the firmware say SDelete that run off and start that we did OK so this is just the stuff extracted originally from the men filed sorry from the binary file which is basically just as it and that's random walk on it she would tell us OK then not here tells us that his you image had a which is 64 bytes long so I don't have to guess that next time I know exactly how long however long the header is an even tells me a bunch of very important information about this tool the header size the CRC data which is that this is just the header CRC but in the header also from store something such as the data entry point and the beta CRC so if I want to make changes to this firmware so I want to make some custom firmware for this device without talent turned on with that many different passwords this actually good idea I haven't done it yet but I'm definitely going to and then this CRC data would need to be changed with the corresponding CRC of my modified data so that's nice to know that this is exactly 64 bytes you image header if we check it out and hence them we can see exactly all these this information where it was known be taken out of and interesting story but before I stumbled upon has been walk solution but actually the funny thing is that when I started working with this binary file I did the hard way I finally got to work as soon as they finished getting it to work I found a way to do it easier and the same thing with this I found in what after I had already rivers and in the whole of ownership of reverse engineering unit and anyway let's check out this what been walking do then what is a very nice structure of function the forget the capital M in the command and we just OK let's get rid of the extracted the let's say we only have the binary files right we want a automate every single step of the way we don't do any hard work is really OK and this and stuff so we only have the binary file and then we run been walks with this capital of the parent the switch and what this will do this will automate the entire process for us so been local basically take a look at the image will say OK this is it image it'll extracted and then I'll take a look at the extracted image and it'll say OK what is this find 64 by 64 bytes of header at the beginning will find the rest of the data the bottom and it be smart enough to seperate that extract cat so if we run this it on all by itself not do anything to sit back and relax and watch it it's hard work and does everything for these already finished and now if we check back we find a nice little directory with everything extracted so now we go back into are on a faster we can see here that is extracted everything for us so here that the system only seeing green just say you can't read it and and this is the whole thing we can we we can go to the and we can check out the password file and then here's a attached so this whole thing can be automated for us and yeah yeah so this is a really simple way doing it actually been what has a bunch of memory my features which are not going to get into on how but has something called the the string search so I can run them walked with minus capital as Hermida and it will give me all the strings that it can take out of this binary file now it's not the strike a lot from this binary because it's still compressed but I got some interesting information after extracting I can go into the extracted directory and check out all these images I can't for example both of those are on offense is very off minus run fast and it'll give out a bunch of strings which is really nice is a basically all the files that are inside and in that extracted and if we use this like this the then get the exact location number 2 which is called OK so now we reverse in the firmware but she 1 interesting thing about this from the 1st is that it has a very interesting file call Sofía not yet see and what is the xt father and Linux systems so I have any idea but my theory is the randomness developers and they found sharp developer because there are just so many so much more C sharp developers but yeah so they have an EXE file which I didn't reverse engineering at because I'm not really good at
reverse-engineering yet but it's planned OK so now we're in root in the DVR system and other switch back here to see that
basically nothing has changed same picture so the DDR has no idea it's been hacked and let's check out the
stuff we can do OK so you 1st the system 1st because it might still be on walk down from around trying to wrong password to many times its half as sounding search and meanwhile it's recording gestures in really cool to these gloves this right at the front they gave it with the Diyala so I can keep our hands clean liking enough it in it's actually for handling the hard drive interesting anyway I just brought it so you might be interesting get my spare gloves if provide is the year that is if you buy the you again cool them that started up and will log audiences but so
were in rich now and say we don't know the
password 1 2 3 4 5 right so as just mention password is actually still wonder if were 5 cool so that works
for any OK let's say we don't know this only once reset the password how how would we do that
well if we know the master
password then I would list Deloitte's here and we go to the MNT directory into the mount directory check out what's here OK so here is basically the web contains all the stuff for the web Graphical User Interface and USB contains you as the amount that 2 USB ports in the back which you can use for firmware updates the global genius custom and basically what's interesting for us is the MTV OK so we have a nice folder here called conflated and if you check out what's inside that we get the and I think this 1 of them interesting actually when I 1st got this DVR had 2 files for the count 1 account to another with the 2nd 1 does but the first one that only works so now let's look inside this account file and I was actually amazed that this password was not in clear text it's a past using something this people really users and here and then admins account password with uh this is some kind of hash that very very long and secure hashes you can see but we don't need to practice has right now as if we check out amount we can see that the where we are mn is mounted as read write system so we can make any changes you wanted it we can put a new hashing side or we can just simply remove this let's see how the DDR like this and so in this
time the 1st logging in 1 2 3 4 5 the right password
it's gonna work because it didn't really get but on extra goods
and after my soul sound we should be able to log in without
no password because if it doesn't
find this account file which
DEC citizens find this account 1 file it automatically resets to rob factory default settings which is basically just an empty no string for the password so we can login with no password and see how that works after the mice colors
talking and reliably password
so that was a deceptively that account file and were in called
OK now on why why is this scary and because these things are actually being used and it's not just identification nothing wrong with them they they basically make similar products other stuff I can list CP plus a bunch of other vendors they make the same stuff and they all use this talent passive OK there's is not the same but they also have a master password and it's commonplace to use master passwords but that's not really good idea because we just saw how easy it was to reverse engineer this and to extract a master password and that's all I need to do and basically any identities and product that I'm gonna use will use this password whether a DVR to camera they all use the same master password so from here on if I go somewhere anywhere to to some company which uses this all I need to do is get on their land somehow and then and I can basically login to the out to to the DDR a final past work along indiantown at and I can do anything like it's about mounted 5 amount of different point like if I don't touch the account but let's say I I can wipe the entire contents of the hard drive from here which basically means that they have no security footage anymore so all the security footage that was taken will be just gone because you can delete it with 1 command and then I can modify data and what kind of hard to modify the video files input about this novel but I can also clear logs I can basically do anything because I'm root and maybe there's some truth to that idea if anyone can be route with just knowing this short little password and this is the same for the myself again most of the DDR as use this like most most of the things that they they all have a master password so that you can all log into them yet talents and your route you can do anything you want they each have a different password which you go whole reverse-engineer the firmware get the password crack at and and urine and yeah so but let's let's think of a solution for this problem well say 1st solution is don't use a master password that's probably not the best way of and even if they would use a master password why use the same password for every product and were at least make a way for us to turn off that telnet function like I would put some sometimes switch inside at which you would worsen button or something that the town and could only be turned on if you bring it back to the factory or better it does not use talent and put a reset switch on it now with the best idea but then not so much income for the I don't envision so another method if the companies don't want to change you can always make custom firmware which is not actually that easy but it can be done and in the custom firmware basically you can change your talent password to what everyone want effectively even disable the talent demon inside the framework so you can essentially major device completely secure and why is this important well the the security systems we expect them to be secure because database and what they do they they they they they take care of our security we can say that they they they store all the data from a video camera are there there is an essential part of our security and if they're so easy to hack then that what where where using them they give us a false sense of security yeah
so I but anyway every life picture so it is useful for something and basically all that we need to be done to make this really secure is for just just just for vendors to change this some
talent sitting in a really cool and not to mention that also these devices to go back to examine but this 1 for example the means any specific ports but there are some more advanced the the artist which uses special courts because they have special software which works with them and this is mainly proprietary software which is known for about cell and that can also be exploited and then I don't know actually anyone who and who who's who actually looks at the system then tries to happen like some hackers are acting or hacking computers American mobile phones are happy all sorts of things but never actually met someone who who works with hacking the security systems that's why the the interesting to to show this to you guys know that it's actually not that hard you saw how simple it was and and yet this is what's being used today and that's the level of security so my suggestion is some either get the vendors to fix this or actually have any other suggestions as I can tell you to buy a servant about know exactly how many times have you the odds are there most of them like this and use this technology so basically they're all not secure and that we can take a look at the new were firmware I
downloaded the from actually 4
4 and many more devices not analyze all now but they all have the same vulnerability the best from a actually I found so far was of firmware and why was it so that was encrypted and I can open it so I have no idea what's inside but yet 1 more interesting thing about this idea is that if we take an apartment in a partner but if we take it applied to actually find this whole what which is about this data on the board inside is all around this day so most of it is that the space for the hard drive and then they're all are active debugging ports on it which means the means that I can essentially uh attached so I was say that OK I'm going to have to use the that they for a 5 more minutes and they're obviously something really really cool and so after giving something off the father of 5 elements of a so that when I didn't definition but it was very interesting topic is to hack into the system not over the and the like there are some systems may be which we can access to this way were we cannot do this way but we can get access straight to the board if we can act on hardware into those debug port ports and you can buy for a couple dollars on ebay and I converter which will put in July of WSB and put into that would just like 3 patterns and you can collected your computer and when the start of the DDR will immediately see the you running down the press Ctrl-C as stops the whole thing and you're basically root and you can do exactly the same thing to do it right here and without even knowing the talent password so you don't have to reverse engineer anything you basically just connect to it and and Urania route to the doesn't ask anything because while if I took the whole thing apart 9 and then anything the same thing like if I was unable to reverse engineer from where if I mean with root than I can a I can do the same thing without the firmware where I can just if I mean withdrew by I get terminal shell and I can just see the to the agency passed the leading file and open it and read hash and crack at the same way and that's another thing which can be done on the C + yards which I checked I couldn't find anything about sports but like I said There are also of vulnerable to this Council on called because basic another nothing special is the town open on in my connected to itself this pattern or I would even classified tracking set for maybe reverse-engineering under the
firmware because basically all I did was just reaction maybe that cracking the hash was could be considered hacking but this is basically normal stuff like you have to be super smart to do this because and this is actually the my 1st time reverse-engineering anything and I started with exceeding every FARC but uh this is pretty simple like I just read tutorials online how to do it I check out been walking up is a really cool tool will show something else will be marked you know just to keep a counter launches the come back soon so that they don't actually comes preinstalled with backtrack how many of you use backtrack show of hands have used actually know with backtracking is have seen backtrack here OK so that it is really cool at constant being what preinstalled on however I had to install them what separately because the prince version in professional doesn't come with a magic file a magic files part of being walk which which actually defines how then walk can find the stuff in firmware it's it's collection of things that they what knows what's what's in the firmware so you can download walk from the been what site it's hosted on Google Code and the latest version you can install it if you're using deviance or on backtrack there's a nice little shell scripts written to install it so just from that and it's all up and also you can you then use then walk anywhere like for
example I can't I just had been off right here and it already runs on the default version of backtrack this would not work I would have to go into the uh been what directory unless I made it work somehow anyway so if you want try this at home and please do you can download that you can download the firm's online in a number of hard to get it and try with with with any kind of the the artists and and see how it is and would then what really it's super easy I mean saw been walked minus any to basically automate the entire process but I don't have to know anything just give been walks the the binary from our file and it does all the work for for me it extracts everything and basically all I have to do is search for the string route I mean how how much easier can get so I've been up some really really cool tool and I definitely recommend it on any pen-testing about contesting that many friends it's a reverse engineering computer and
take another show of hands how many of you like my background wallpaper and thinking 45 and how much more time do we have official has who's waiting for a comeback and in view of world of the as 1 more minute 1 more minute 1 more minute but let let let us from John the number of the 3 hours so that have not back Ellison windows let's let's let's run it is a a blue among 1 thank everyone thank you I hope you enjoyed this 0 this gives the ends and have fun reverse
engineering firm or and keep this in mind next time you pass by security cameras and now wait not so popular will come back another
time was that was that it cited by the well this is my slide show
them all of them all of them will receive everything 0 yeah thank you for your
attention has to


  816 ms - page object


AV-Portal 3.20.2 (36f6df173ce4850b467c9cb7af359cf1cdaed247)