Remote Inspection, Measurement and Handling for Maintenance and Operation at CERN
Device inspection to remote root
Transcript of Device inspection to remote root
Device inspection To remote root
Uncovering the sekritz of proprietary software on a fixed wireless terminal and weap0nizing them into a remote exploit
Where What Who
Ruxmon Melbourne Device Inspection to remote root
Tim Noise
tIM NOISE
• twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • [email protected]
Internet subscriber and pirate impersonator
Fixed Wireless Terminals
• Linux Based • System on Chip • Provide PoTS and ADSL • 3G/LTE Backhaul • Battery and Solar • Remote Managed • Deployed in Clusters
For people without copper or fiber
External Connectors
• Ether over USB
(DHCP) • Aerial socket • SIM Card slot • 2 RJ11 ports for
ADSL CPE and PoTS
Things we can probe
External Connectors
• SIM Card slot • 2 Management Ethernet Ports (NO DHCP)
• 2 RJ11 power management ports
Things we can probe
Gaining ROOTalways want that uid 0 - the usual tricks
• Removable root Media • hashcat / jtr
• kernel paramaters • init=/bin/sh • single user mode
• Lucky for us, the root password is
printed on the PCB (not even joking)
One Step FURTHER
• Connect back payloads • Dial 1900 numbers for profit • UDP broadcast the attack • Intercept data and telephony • Insta-botnet / onion network • Other bad things
For internet bad men
tIM NOISE
• twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • [email protected]
Internet subscriber and pirate impersonator