This presentation dives into the crazy world of serial port converters, remote access devices, and terminal servers, demonstrating simple methods for accessing thousands of servers, routers, and point of sales systems using Metasploit.
Known as serial-to-ethernet converters or terminal servers • Used for remote management, logging, out-of-band access • Widely used for industrial, point of sale, and transportation Serial Port Servers
Evolution, eCOS, VxWorks, or Linux Management UI • Telnet, SSH, HTTP Serial ports • RJ45, DB25, DB9, DIN Network ports • Ethernet, GSM, 3G, LTE, WiFi Serial Port Servers: Components
telnet, SSH, and HTTP • TCP socket proxy ports provide direct pass-through • Proprietary protocols for virtual COM port drivers Serial port monitoring and automation • Some products offer basic automated interaction • Use expect-style logic, can alert, send commands • Stream to remote hosts when criteria are met Serial Port Servers: Features
create custom code, and resell • Custom automation for industrial, medical, and telco • Development is typically in C, Python, or scripts Expanded use beyond serial ports • GPIO pins used for custom hardware integration • Wireless support for Zigbee and other RF serial • Support for MODBUS and other IA protocols Serial Port Servers: Development
tracking of vehicle location via 3G + GPS • Remote management of fleet fueling stations IT Systems • Remote access to UPS and PDU for remote reboot • Remote access to servers, routers, and switches • Out-of-band equipment access via GSM & 3G/LTE Use Cases: Even More
http://internetcensus2012.bitbucket.org/ • Critical.IO ( private) Try to detect to servers using multiple protocols • Digi Advanced Device Discovery Protocol • SNMP “public” System Description • Telnet, FTP, and SSH banners • Web interface HTML • SSL certificates SHODAN, Internet Census 2012, Critical.IO
than SNMP and smaller sample sizes • 8,000 Digi devices found with FTP exposed • 500 Lantronix systems detected via Telnet • Telnet & FTP ambiguous for some devices • HTTP and SSL also ambiguous Serial Port Device Exposure: TCP Certificate chain: s:/CN=192.168.0.60 i:/CN=192.168.0.60 HTTP/1.1 302 Found Location: https://127.0.0.1:8080/home.htm Content-Length: 0 Server: Allegro-Software-RomPager/4.01 Trying 192.168.0.60... Connected to 192.168.0.60. Escape character is '^]'. login:
default only on some equipment • Three “magic” strings: DIGI, DVKT, and DGDP • DIGI magic is used for “normal” Digi products (87%) • DVKT magic is used for third-party builds (13%) Serial Port Device Exposure: ADDP
password, which defaults to “dbps” • Change the running network configuration (DNS, IP, etc) • Change the DHCP and WiFi configuration • Reboot the device Serial Port Device Exposure: ADDP
interface to disable the ADDP protocol • Often no way to change the “dbps” password • Metasploit includes an ADDP reboot module Serial Port Device Exposure: ADDP $ msfconsole msf > use auxiliary/scanner/scada/digi_addp_reboot msf auxiliary(digi_addp_reboot) > set RHOSTS 192.168.0.60 msf auxiliary(digi_addp_reboot) > run
the device • Typically done via the web interface or telnet • Some support HTTPS and SSH management Default Passwords • Digi equipment defaults to root:dbps for authentication • Digi-based products often have their own defaults (“faster”) • Lantronix varies based on hardware model and access root:root, root:PASS, root:lantronix, access:systemn Serial Port Server Authentication
and 3001-3032 • Digi uses 2001-2099 Connect and immediately access the port • Linux root shells sitting on ports 2001/3001 [root@localhost root]# Serial Port Passthrough Services
encrypted (SSL) version is on port 1027 • 9,043 unique IPs expose RealPort (IC2012) Digi can expose up to 64 ports this way • Client must know (or guess) the line speed Serial Port TCP Multiplexed Services
or via RealPort multiplexer • One 16-port Digi exposed 16 shells across FreeBSD & IOS • The target devices DO support authentication… Serial Target Shells
“disconnecting” from a serial port • Some network devices enforce inactivity timeouts • Others stay authenticated until an explicit logoff Serial Target Authentication
Default, missing, or weak passwords make this easy • Used Metasploit to bruteforce purchased gear • Passwords were “dbps”, “digi”, & “faster” Lantronix exposes a full Linux environment • All of the standard tricks apply (sniffers, scripting) Digi provides remote data logging • Send all serial data to an external IP (UDP/TCP) • Trigger based on content, data, timing Exploitation & Beyond
and non-default username Scan for and disable ADDP wherever you find it Require authentication to access serial ports • Enable RealPort authentication and encryption for Digi • Use SSH instead of telnet & direct-mapped ports Enable inactivity timeouts for serial consoles Enable remote event logging Audit uploaded scripts Remediation
on mobile connections, no firewall Concentrated within a few mobile ISP subnets Discoverable via SNMP, ADDP, RealPort scans Network configuration exposed through ADDP Indexed by Internet Census 2012 & SHODAN Summary: Exposure
hardcode ADDP password Most servers do not authenticate the serial port Most serial devices do not automatically logout 13,000 serial ports lead to authenticated shells Summary: Authentication