Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Weak passwords? Better call The Doctor.

Every network presents its own unique opportunity for a penetration tester. Often, hidden among the innumerable workstations, servers, printers and switches, a tester will stumble across a specialty system quietly fulfilling some obscure business requirement. These edge case systems can provide the tester with a chance to highlight the different, sometimes surprising, ways an attacker could impact the organization.

Below we describe a recent internal network and wireless network penetration test performed at a facility where a few simple, commonplace errors resulted in our comandeering robotic service carts used within the facility.

The overall internal penetration test was progressing in an acceptable fashion and a comfortable level of compromise had been achieved, with target data located and exfiltrated. It was time to move on to searching for alternate avenues of attack, looking to increase both the width and depth of the findings.

Network mapping had uncovered a number of systems listening on the common MySQL port 3306. These systems were checked for the default username of 'root' and a blank password. A single database was found to be using these credentials but, sometimes, one is all that is needed.

12701_f477fe01-1120-436b-9800-adc9a710b87b

Naturally, weak database credentials were interest grabbers and warranted a closer look at this system. A number of other services were discovered: FTP, SSH, and web server on ports 80 and 443. By pointing the browser at the web server it was possible to determine what sort of system it was before poking around in the associated database.

8914_41340c7e-5f68-4def-bbfa-5a1b8e4dab97

Branding on the discovered web interface indicated that this system was associated with a manufacturer of robotic service carts. A number of these robots were noted dutifully trundling through the halls of the facility, delivering important supplies and assisting with janitorial activities. A quick bit of additional research revealed that these robots navigate the corridors along predetermined routes using a variety of built-in sensors and politely announcing their presence and intentions via a small internal speaker. Connecting to the wireless network, the robots are able to call and operate service elevators, communicate amongst themselves, and coordinate with base stations such as the one discovered. From the web interface the robots can be dispatched to a variety of predetermined locations and operators can check the equipment status and view near real-time images from onboard cameras.

The web interface also included an "Administration" tab. Clicking on that tab resulted in a prompt for a username and password. A bit of searching through the poorly protected MySQL database on this system uncovered a likely table named "ui_users" which contained a pair of usernames as well as the associated, encrypted passwords.

10503_8cc79d70-1236-4065-8421-32e2777e3170

At this point, while it would have been possible to launch an intensive, offline attack against the encrypted passwords in an attempt to recover the plaintext, the initial attack considered was the (disturbingly effective) method known as "guessing a few really poor password choices". Using usernames as passwords for service accounts is a popular, if bad, decision. So we used the discovered username for the password.

10524_8dc436c1-8a83-497c-8a27-4969180a23ac

This method proved to be successful on the first attempt and provided, what appeared to be, end-user administrator access to the web interface. This account enabled access to a few additional options as well as a handy bit of information in the form IP addresses for all of the other base stations at the facility as well as the IP addresses of the robots themselves.

11292_b1f77aa1-9d25-4e6a-8a07-fc890ef165cd

A portscan of the other base stations indicated they were operating essentially the same as the one system already compromised, although the MySQL databases were not quite as welcoming in offering a default login with a weak password. The robots were all found to be running SSH as well as a web server on port 9000.

Connecting to the web interface for a robot resulted in a login screen prompting for a username, in the form of an email address, and a password.

12094_d9483e6e-d1da-4f9a-9d5d-80e716d73eba

The previously successful username and password combination was tested against the robot's SSH login and, slightly modified to fit an email format, against the web interface login. Both instances were met with rejection.

Temporarily stymied in the attempt to access the robot, attention returned to the compromised MySQL server. There were two accounts detailed in the "ui_interface" table and the "REDACTED2" account could possibly provide the access desired. Based on the recent experience with the "REDACTED" account, using the username as the password for the "REDACTED2" account was the starting point again.

11903_cf1825e9-420a-4bd0-89d3-c2bdf70361b6

Not only was the "REDACTED2" account using "REDACTED2" as a password but it appeared to provide an elevated 'developer' level access to both the web interface and SSH on the base station.

The same combination was then found to provide SSH access to a robot. 11193_ad715128-4c4d-4aad-b198-540fdad85027

The "REDACTED2" account, as a member of the sudoers list, provided a comfortable level of access to the targeted robot. Still, the system had a web interface that likely would provide some interesting and easy-to-use features. A search through common file locations revealed the PHP file used to authenticate web users. After a making a backup and a quick modification to the PHP the web interface provided 'super' user access with any random username and password combination.

8750_37e765c4-6d63-434c-a437-8ad7ca84b187

 

The web interface presented a wide variety of administrative options for the robot. A 'super' user could change or load new routes within the facility, or building floor plans, audio files, and modify key configuration settings. While the SSH access alone would have facilitated making these sort of changes, the web interface was specifically designed for this type of activity.

This degree of compromise leads to an old problem. What do you do to a system to show that you can do ANYTHING to a system? It was important to highlight the import of this finding in a way that would be memorable and informative for the client. Obviously, nothing destructive or disruptive, these robots were performing important work all across the facility and any real interference would be unacceptable. While it would have been possible to have all the robots form a massive robot flash mob in the office of the CEO it could be overkill and may have had considerable negative impact on client relations. Eventually, an idea was developed that would leave a lasting impression with the minimal amount of disturbance; a proof of concept that would resonate with the target audience.

First, a trip to the local hardware store was needed to pick up some special equipment.

7665_02afa311-d30e-498e-b79f-49308e976bda

Next, an available robot recharging in the docking bay was located. After logging into the robot via the web interface a pair of specially chosen audio files were uploaded and the robot was instructed to play the new sounds over its internal speaker when performing certain actions. The lucky robot was then equipped with it's new accessory and asked to 're-dock' which involved simply backing up a few feet and pulling forward again on to the charging plate.

You can view the results in the video below, having your speakers turned on is highly recommended.

In the end, the client was provided with the detailed report with all the penetration test findings including information on the danger of default installations, weak password choices and the greater potential impact of the above video Finally, the client was presented with a small souvenir from the penetration test: one plunger, gently used.

Latest SpiderLabs Blogs

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More