Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Yes, trying to hack a remote control

from [Brian Kerley] Network Security [Permanent Link]
Subject: Re: Yes, trying to hack a remote control
Date: Thu, 8 Feb 2007 14:00:19 -0700 
Dave: you're right that I did the really basic, simple scan, so I will
do the more in depth stuff later tonight.  Quick question though.  If
I attempted a telnet into that port, and it asked for a username/pass,
does that mean the service is actually running on that port?

Geoff: Hopefully it isn't just for firmware updates....otherwise it
might have to get a little crazier, like somehow snagging the firmware
update and seeing if I can use a resource editor on it to change
anything, and then upload a modified firmware to the remote.

Everyone else, I will perform upload the scan later tonight when I get a chance.

Thanks everyone!  I got a lot more replies than I thought I would :-)

On 2/8/07, Dave Moore <dave.j.moore@gmail.com> wrote: 
When nmap gives you the name of a service, that name is in many cases
only the most /common/ protocol to use a port, not the one that uses
it exclusively. In other words, whichever port nmap identified as
'discard' is not necessarily running anything to do with discard
(whatever that is)

The latest versions of nmap have a feature whereby you can run scans
that will actually connect to the port in question and fetch banners
and anything else it can, and make a determination as to what is
running on the port in question with this data, which is far more
reliable.

I'm assuming here that you're using a basic nmap scan, correct me if
I'm wrong. But if you are, then the open ports nmap identified as
telnet and ftp may not even be telnet and ftp. When you get into niche
stuff like this, I'd not be inclined to take nmaps word for it.

I suggest you download the latest version of nmap, and perform more
intensive scans, such as the one mentioned above. If you're still
having trouble, you should post port numbers and raw banner data (This
can be garnered by use of the service scan mentioned above with one or
two -v flags, for verbosity)

I've got Nmap version 4.21ALPHA1 atm, I would probably start with this:

nmap -sV -v -v -p 1-65535 -P0 169.254.1.2

That -p switch is to scan all known ports, which nmap does not do in a
default scan.

YMMV and all that.

Sorry if I just told you a bunch of stuff you already knew, but this
is the basics list :)

Dave

On 2/7/07, Brian Kerley <kidgenius@gmail.com> wrote:
> Ok, you guys are going to probably think I'm the biggest loser, but here's
> what's up.
>
> I've got a new Harmony 1000 remote from logitech. It's a new touchscreen
> remote that has just came out.  Of course, I can't leave well enough alone
> and would like to take a look at the inner workings of this thing.  That's
> where it gets difficult and I'm hoping someone might be able to help.
>
> The remote connects via usb using a Belcarra USB Lan Link.  The remote gets
> assigned an IP address of 169.254.1.2  I've scanned it and it shows that it
> is running both telnet and ftp (as well as another service called "discard"
> according to nmap).  So I've tried to telnet/ftp into it using a various
> combination of passwords and usernames.  I've also tried to do a dictionary
> attack, but the remote shuts the service down after so many attempts.  I've
> also tried using both Cain and Wireshark to analyze the packets being sent
> to the remote during an update that is performed by the included software.
> I got a lot of data, but I can't seem to find any plaintext passwords or
> usernames in the packets.  The software running on the computer is java, and
> the remote's software might be java as well.
>
> Do you guys have any ideas on how I might be able to get into this thing?
> There are also a lot of guys running linux that have other logitech remotes,
> and of course are high-and-dry right now about how to update without running
> a virtual environment.  If I can figure how to get in over one of these
> services, then maybe it can be of some help to those guys.
>
> Thanks,
> Brian
>


--
==========
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects. -Heinlein

This message copyright (c) 2004-2007 David J Moore


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PHP filter function against SQL injections, jeffrey rivero
Next by Date:  Re: Virtual Machine from an existing Physical Machine, Mathew
Previous by Thread:  Re: Yes, trying to hack a remote control, gjgowey
Next by Thread:  Re: Yes, trying to hack a remote control, gjgowey
Indexes:  [Date] [Thread] [Top] [All Lists]