Remote Attacks
advertisement
Penetration Testing Biometric System By FB1H2S aka Rahul Sasi http://Garage4Hackers.com http://null.co.in/ http://nullcon.net/ Who am I ? What is this paper about ? • I am an Info Security Enthusiast http://fb1h2s.com Rahul Sasi aka FB1H2S working as a consultant . http://www.aaatechnologies.co.in • Active participant of Null and other computing groups. • A member of Garage4Hackers. http://www.Garage4Hackers.com • What this paper contains ? http://null.co.in/ http://nullcon.net/ Explaining the Risk? • Finger print deployed every where, attendance and door management. • Advantages and Disadvantages of Bio-systems. • The devices hold critical information. Employee Employee Details Attendance Employee Salary http://null.co.in/ http://nullcon.net/ Why to audit them ? I just Hacked into Biometric Attendance Register and Changed attendance and salary :D of mine and my @#$$ I am marked 10 days absent , what the |-|3ll is happening! Professor / Not so good co-worker Student / Employee http://null.co.in/ http://nullcon.net/ Classifying the Attacks Local Attacks: • Finger Print Sensor • USB Data Manager Remote Attacks: • Remote IP Management • Back End Database • Finger Print Manager (Admin Interface) http://null.co.in/ http://nullcon.net/ Biometric System Attack Vectors http://Garag4Hackers.com http://FB1H2S.com/ Biometric Systems Common Applications • Reliable attendance managing system. • Biometric Finger print guarded doors, implemented for keyless secure access to doors. http://null.co.in/ http://nullcon.net/ Attacks: The Non Technical part http://null.co.in/ http://nullcon.net/ Local Attack: Finger print sensor • Finger print scanners read input using two methodologies: 1) Optical scanner 2) Capacitance scanner • Finger print recognition systems are image matching algorithms • Cloning a duplicate finger print and cheating the image recognition algorithms http://null.co.in/ http://nullcon.net/ Steeling a Finger Print • Your finger impressions falls any were you touch. Ex: on glass http://null.co.in/ http://nullcon.net/ My Approach: Finger Print Logger • Biometric sensor looks like this. • Placing a thin less refractive index transparent object in front of the sensor and logging finger prints. http://null.co.in/ http://nullcon.net/ Building Finger print logger • Refraction: • Use Less refractive index thin transparent sheet • Log the victims fingerprint using the finger print logger http://null.co.in/ http://nullcon.net/ Steps Building Logger http://null.co.in/ http://nullcon.net/ Special Points to be Considered http://null.co.in/ http://nullcon.net/ Reproducing a Fake Finger print: http://null.co.in/ http://nullcon.net/ Local Attack: USB Data Manager. • Biometrics devices have inbuilt data storage, were it stores the Finger print and user information. • USB support in order to download and upload finger prints and other log detail to and from the device. • Most of the devices do not have any sort of protection mechanism employed to prevent data theft, and those which uses password protection often is deployed with default password. http://null.co.in/ http://nullcon.net/ Attacks: The Technical part http://null.co.in/ http://nullcon.net/ Remote Attack Vectors. http://null.co.in/ http://nullcon.net/ Remote Attack Vectors • IP implementation for data transfer • Biometric Management Servers • Biometric Admin/Interface (Web Based and Desktop based ) • Back end Database • Man In The Middle Attacks http://null.co.in/ http://nullcon.net/ TCP/IP Implementation for Remote Management: http://null.co.in/ http://nullcon.net/ Remote Administration Implementation Issues • The remote administration capability of this device lets biometric servers to authenticate to it and manage remotely. • We are completely unaware of the management protocol used as the program is embedded in the Biometric MIPS device. Solutions • The admin application knows everything about the remote device so if we could get a copy of that application it will tell us everything we want. http://null.co.in/ http://nullcon.net/ Example Attack Attacking the remote management protocol Example. • Situation: The remote administration implementation is unknown. • Foot printing: The label on the Biometric device will reveal which company has marketed or build that product. • Download a copy of remote management software from vendor site http://null.co.in/ http://nullcon.net/ Example Attack Reverse Engineering the Application • Reflector used to disassemble the .Net application • Detected TCP/IP setting of device used to communication, It uses port 4370 to communicate http://null.co.in/ http://nullcon.net/ Application uses COM objects which interacts with Device • IDA used for dissembling the COM objects • Disassembling Import function shows the communication details http://null.co.in/ http://nullcon.net/ Example Device Command extracted • Commands to set the device time remotely http://null.co.in/ http://nullcon.net/ Auditing Back End Database • From disassembling we were able to find local database password file and encryption key hardcoded in the application. http://null.co.in/ http://nullcon.net/ Biometric Admin/Interface (Web Based and Desktop based ) • Another possible point of attacks are on the admin interface, these are either desktop based or Web based. • Desktop based applications are common and the possible chances to interact with them require local privileges on the Biometric server. • But web based admin panels could be attacked form outside. • So an application check on those modules for application vulnerabilities could also help. http://null.co.in/ http://nullcon.net/ Nmap Script: Detecting Biometric Devices on Network: How to detect these device on network for attacking? Nmap Script Output. http://null.co.in/ http://nullcon.net/ Attack Videos http://null.co.in/ http://nullcon.net/ Conclusion • The risk and vulnerabilities associated with Biometric Device are explained. • This shows the necessity of including these devices to the scope of a Network Audit. http://null.co.in/ http://nullcon.net/
