markdown updates, initial CUJO notes

This commit is contained in:
Conor Horan-Kates 2016-11-28 17:45:35 -08:00
parent 0b74f8ce09
commit d487075184
2 changed files with 147 additions and 0 deletions

View File

@ -6,6 +6,7 @@ shiny devices are fun, finding and poking holes in their interface is a _lot_ of
## devices ## devices
name | description | url name | description | url
-----|-------------|----- -----|-------------|-----
[CUJO](http://trycujo.com) | purposeful MiTM device for internet 'security'
[LG webOS](http://www.lge.com) | HTTP phone home is never a good idea | [lg-webOS](lg_webOS) [LG webOS](http://www.lge.com) | HTTP phone home is never a good idea | [lg-webOS](lg_webOS)
[HooToo TripMate series](http://www.hootoo.com) | there are lots of problems, some end up at root access | [hootoo](hootoo) [HooToo TripMate series](http://www.hootoo.com) | there are lots of problems, some end up at root access | [hootoo](hootoo)
[Philips Hue](http://www.meethue.com) | device communication insecure, Ruby library/CLI to control via REST HTTP | [hued](https://github.com/chorankates/hued) [Philips Hue](http://www.meethue.com) | device communication insecure, Ruby library/CLI to control via REST HTTP | [hued](https://github.com/chorankates/hued)

146
cujo/README.md Normal file
View File

@ -0,0 +1,146 @@
# CUJO
- [device](#device)
- [digging](#digging)
- [nmap](#nmap)
- [sniffing](#sniffing)
- [impersonating](#impersonating)
- [phone home](#phone-home)
## TV
name|value
----|-----
model|TODO
product|`TODO`
firmware|`TODO`
features|TODO
vulnerabilities|all phone-home calls are done over `HTTP`
## digging
### nmap
from `nmap -PN -sV <device>`, we get:
```
<TODO all ports are closed>
```
### sniffing
watching the network activity of the device (`192.168.1.108`), noticed it tried to resolve:
* agent.cujo.io
* jenkins.getcujo.com
but since the network isn't allowing external traffic, the DNS resolution fails.
the device continues to retry this, but takes no other action.
using `dnsmasq`, spoof these addresses to something under out control (`192.168.1.106`), and now we see:
```
Frame 125229: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: 192.168.1.108 (cc:d3:1e:d0:20:67), Dst: 192.168.1.106 (f4:0f:24:04:2e:8f)
Internet Protocol Version 4, Src: 192.168.1.108 (192.168.1.108), Dst: agent.cujo.io (192.168.1.106)
Transmission Control Protocol, Src Port: 53455 (53455), Dst Port: 9443 (9443), Seq: 0, Len: 0
Source Port: 53455
Destination Port: 9443
[Stream index: 14]
[TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Acknowledgment number: 0
Header Length: 40 bytes
Flags: 0x002 (SYN)
Window size value: 14600
[Calculated window size: 14600]
Checksum: 0xaf14 [validation disabled]
Urgent pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
Maximum segment size: 1460 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1460
TCP SACK Permitted Option: True
Timestamps: TSval 51225, TSecr 0
No-Operation (NOP)
Window scale: 5 (multiply by 32)
```
now we can see it is making some empty TCP request to `9443`
## impersonating
### phone home
standing up a webserver on `9443`, we start to see traffic:
```
\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\xa1\xe1\x9d\x08\x88]*\xce\xe7G
```
```
\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03Gg\xed\xa3m\x02\x88\xbd\xf0\xd1\x1eS\xf0\xfbc\xfb\x80K\x8dD\xed\xfb\x9b\x8c\xa0\xb2\xc6C\xc8\x15\x86\xbb\x00\x00\xa0\xc00\xc0,\xc0(\xc0$\xc0\x14\xc0
```
requests starting with `\x16\x03\x01` are almost certainly HTTPS requests coming over HTTP, so try to forge a usable cert:
```
$ openssl req -x509 -newkey rsa:2048 -keyout agents.cujo.io.pem -out agents.cujo.io.pem -days 365 -nodes
Generating a 2048 bit RSA private key
........................................................................................+++
..........................................................................................................+++
writing new private key to 'agents.cujo.io.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Los Angeles
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CUJO
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:agent.cujo.io
Email Address []:
$ openssl x509 -text -in agents.cujo.io.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e6:5b:e3:de:c4:4f:13:7e
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=Los Angeles, O=CUJO, CN=agent.cujo.io
Validity
Not Before: Nov 29 01:38:50 2016 GMT
Not After : Nov 29 01:38:50 2017 GMT
Subject: C=US, ST=California, L=Los Angeles, O=CUJO, CN=agent.cujo.io
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B2:33:5E:3A:3D:6E:B8:DC:D8:19:89:A2:B5:67:1C:99:B1:B0:2F:2F
X509v3 Authority Key Identifier:
keyid:...
DirName:/C=US/ST=California/L=Los Angeles/O=CUJO/CN=agent.cujo.io
serial:...
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
```