Ok Everyone here is the long awaited first post (except for my introduction) and Im sure you have been waiting...
So here goes, first of all I want you all to think of the very first credential you would enter when you are faced with a daunting user password situation. I will tell you mine at the end of this article. You will have to excuse my typing I dont spell everything correctly or even use punctuation as you can already tell.
Over Christmas I was fortunate enough to get some time off from work so of couse I squandered most of it away on the computer. However during this wasted time I came across something that peaked my interest.
This is not a post too prove to you my vast hacker skills or make myself a legend since it is really more of a security epic fail. But maybe the next time you come across this type of situation your curiosity will be spike as was mine.
I am not the guy that you will be talking about as having the most prowess or the most IT knowledge but if you talk about me it will be because I believe I had the coolest hack EVER!(or ytour just talking shit and thats fine too. I am always open to constructive criticism of that nature) so lets start at the beginning. I will try to reference everything I can.
WARNING: This is not a tutorial nor a challenge.( I want to forever be the winnner starting right now) Illegal activities are illegal by nature and cannot be undone. It does not matter if you are trying to help or trying to harm the consequences happen to be very similar.
If you are reading this because I gained access to your system just say thanks in the replies.
So lets start at the beginning. It was a VERY rainy day durring the holiday season and I was searchin through Shodan.(
https://www.shodan.io/) For those of you who are unfamilliar with shodan it is a wonderful web search that looks for IP addresses that have open ports. There are several filters that can be applied and it is a great tool to see if you are not properly secured from remote points. Do not rely on shodan alone to come to this conclusion. As I poked through numerous results I happened to stumble upon an open port 80 web interface.(yea guys thats right it was way too easy) So in my normal curious nature I took the time to open another tab and loaded this baby up. It was an S2Netbox and it was clearly labeled as so. I have never heard of this particular piece of technology but I thought to myself, “this might be kind of interesting.” Off to every hackers favorite resource! GOOGLE!
Well it turns out that a company called S2 Security Corporation developed a very nice piece of technology . It is a system designed to monitor and control building security systems. More specifically it is an RFID based system.
So as I sat back looking at these two blank entry fields I thought and thought and quietly murmured to myself, “what the hell!” Bam first try guys I never had to open burp, hydra, no hashes, no anything! Ridiculous right. Well its out there.
I mean we have all used our skills to check off the bucket list:
---Crack neighbors router interface and change their ssid to something really stupid or offensive CHECK
---Do it again and blacklist one device to cause confusion and high data usage CHECK
---Crack the work wifi password and use it to wirelessly print photos of borat in a mankini to your bosses desktop printer while he is on facebook and your supposed to be working CHECK
Please add your list of prank type stupid accomplishment in reply (Just for fun ) I love new ideas! But this is truly epic considering that most of the time we spend countless hours to come up with a database full of useless information, a weak ass file server and the occasional porn stash.
Anyways, how many times have you told people, “its not like in the movies”, “you cant just take over stuff”,”ETC.”? Well for one time in hacker history it was exactly that. Within 5 minutes I was sitting infront of a nice little GUI web based interface with admin privileges. If you have still not looked up S2 Netbox I will explain just what this is. It controls all the RFID operated door locks, all the elevators, all the alarms, and all the cameras. (In my case the building was using a seperate surveillance system so no cameras were available.) As an admin you can modify users add users, read rfid info and scan in new cards as well as remotely operate all building functions and monitor building occupancy. You can easily add another admin account as a back door or anything you can dream of. And best of all it is all packaged into a very user friendly web app that can be interfaced from any OS and any security proffesional(i.e. security guard) can learn to efficiently use after his first day of on the job training. Perfect for all ages of hacker.
Although I would have loved to play with this system for several days finding incoming IP addresses to connect with the other five convergence halls and 2 banks I felt mysteriously compelled to let the owners of this system know that they were extremely vulnerable. And that is what I did although it took 3 days for them to notice Maybe because it was the holidays. I started off by entering work log into the system asking for a credentials modification... and nothing happened. So I contacted a company that I believe was resposnsible for setting up the security... and nothing happened. And finally I contacted them through their website contact us page explaining once again that this was serious... no response but they did take the drastic measures to change their password.
Conclusion: I still think this is not an acceptable answer to their security needs. I understand why they finally changed the password(I basically forced them), I understand why this device has a web browser interface(it is functional with any OS so it can be used by any company). But I do not understand why it is on a web connected network or atleast not firewalled. Each building will be internally managed, access cards will be issued on site to the customers occupying the structure. There is no need to monitor or use this system from anywhere but inside the structure. Without a firewall when I connect to your ip if there is a port 80 connection available I will automatically be connected with it, this is a problem. And for credentials Username: admin Password: (wait for it...) admin This is unaceptable by any standard and a large company like Olympia Development Corporation that is managing atleast 2 banks and 10 other large office building should know better. And so should you.
The webpage for the building in question is
http://www.olympiadevelopment.com/new-olympia/index.php/portfolio/convergence-center-iv.htmlThe static IP address of the system that still has not blocked outside connections(as of the time I post this) is
70.165.69.25
I am not encouraginging anyone to hack this system as it is illegal as hell and a company like this has the resources to own you for it. This information is only for verification purposes. Call me a script kiddie I dont care Im not far from it Im not out to hurt peole or do stupid stuff but this would even meet my definition of stupid! Lets Get our shit together guys and help other people do it too.
God bless you and happy new years,
noSec
Show Posts