• Penetration Testing Biometric System: Part II:- Remotel Attacks


    Continued from


    Biometrics: The Technical part:

    Remote Attack: The attack vectors.



    This would be the basic architecture of an IP based remote management protocol of these systems.

    So here the attack points would be as follows,
    1) IP implementation for data transfer
    2) Biometric Management Servers
    3) Biometric Admin/Interface (Web Based and Desktop based )
    4) Back end Database
    5) Man In The Middle Attacks

    The attacks would be as follows:

    IP implementation for data transfer:

    The following implementation on the MIPS is used for remotely administrating the biometric devices. An IP stack would be there in the MIPS that would allow users to query the biometric system and extract and add information on to device. A GUI program would be there in the back end that is authenticated to manage these devices. There would be a back end database also, that holds all the information’s about the employees including the salary there attendance and a lot other information. So another way of hacking the biometrics would be to hack these implementations.

    This is implemented on the Biometric hardware MIPS, most of the devices use UDP for remotely managing the devices. UDP itself makes it vulnerable for many attacks.



    The remote administration capability of this device lets biometric servers to authenticate to it and manage remotely. So our primary check should be on this authentication procedure. How the authentication is implemented on the MIPS device.
    We are completely unaware of the authentication mechanism used as the program is embedded in the Biometric MIPS device. Sniffing network traffic and analyzing the packets work, but the device communicates to the server only when initiated, and it would be weekly or monthly. So the chance of getting an output out of that is limited.
    Solution: The admin application knows everything about the remote device so if we could get a copy of that application it will tell us everything we want. We could analyze the authentication mechanism, database configuration, and the commands to communicate to these devices. Let’s move forward with a live example.

    Scenario: Attacking the remote management protocol of Biometric device.
    Situation: The remote administration implementation is unknown.
    Foot printing: The label on the Biometric device will reveal which company has marketed or build that product.



    My Attack Methodology: Example Attack, “Basic for all systems”
    Information Gathering: So a visit to the company’s website reveals that company sells biometric products and could find links to user manual. Site also provides link to the application that is used to manage the devices remotely. So download a copy of the application and we are done with phase one.

    Reverse Engineering the Application to extract the commands:

    The current application is built in .Net C#, so ‘refelector’ would be the right choice for disassembling, we will have to deal with the same scenario in all the cases, languages will vary so as the dissemblers.
    The preliminary analysis revealed the Port the device use to communicate and also information about the database settings and password files. A detailed analysis show the algorithm embedded in Biometric device. It is possible to retrieve the commands to interact with the system too.


    TCP/IP communication details:




    Now the communication methodology of the remote biometric device is clear from the above analysis. The system uses UDP for communication on port 4370.Further analysis on a COM object gave idea about the device communication commands and the import library which handles all the administrative tasks. We also could find information about the firmware and detection algorithm used on the hardware.



    Export Table of COM object.




    Analyzing that Object gives all the list of all necessary commands needed to communicate with the Device. IDA was used for dissembling. These function calls very well explain the possibility of things that you could do on the remote device, functions include remotely shutting down the device to uploading a new user and finger print. So next step would be is to extract the commands. Once we have extracted enough information about the device it would be possible for us to recreate the communication and attack the device directly. And example code is as follows.

    Code to set the language on device was as follows:



    Hence the device managing software’s would act as a RFC for the unknown protocol we are gone deal with.

    Formatted command that were extracted from the application:



    Conclusion:


    1) It’s possible to extract the data communication protocol and commands the remote devices use from the management software’s.
    2) The remote application act as an RFC to the unknown protocol providing with everything we want.


    Auditing Back End Database


    As the Database is more critical and more vulnerable to attack, a check on these would also yield good output. It’s possible to get a lot of info about were the data base credentials are saved and all form the remote management software. An analysis of the current product reveled the Managing server data base password file and the encryption key details.
    Local database Password file and Encryption Key hard coded.




    Conclusion:

    1) And from every managing application we would be able to extract these information’s.
    2) Most of the times the database password would be left default only.
    3) Other database audit checks could also be done.

    Biometric Admin/Interface (Web Based and Desktop based )

    Another possible point of attacks are on the admin interface, these are either desktop based or Web based. Desktop based applications are common and the possible chances to interact with them require local privileges on the Biometric server. But web based admin panels could be attacked form outside. So an application check on those modules could also get u those data.

    Detecting Biometric Devices on Network:

    How to identify these devices?

    We been discussing about the possible ways of hacking into Biometric device remotely, but the question would be how do we detect these on the network among the many other computers and devices. So only if we could spot the remote IP address of these devices, then only we could use the above mention attacks on them. That’s something to think about. In order to get past that issue I have built an Nmap script that could scan a subnet and spot Biometric MIPS. Currently it’s capable of spotting majority of the devices. The scanner has got an inbuilt list of finger print biometric systems and algorithms embedded so using this we would be able to spot the devices.

    Biometric_Scanner.nse Script Output:





    Attacking the Device

    Now as we know the device IP address Port used and communication commands we could try to build custom UDP packets and interact with the device as were not able to detect any authentication on the device. The device was program to any commands. So this vulnerability makes it’s possible for an attacker to connect to the device and retrieve any information and manipulate data.
    Python Scapy was used to build custom UDP commands and successfully interacted with the device.

    Scapy Interacting with Device:



    UDP PACKETS:


    The attack worked and the device was responding to the command without any authentication.
    Sniffed data using Wireshark:



    The vulnerability allowed the attacker to Download, Upload new users and there Finger Prints. So it was possible for the attacker to add new users as a back door to the device.
    Sniffed Traffic Showing Employee Details:




    Conclusion:
    The procedure to successfully Pen-Test a biometric device has been explained. The paper clearly explains the necessity to add Bio-metrics devices to the scope of a network audit and the necessary care that has to be ensured on such devices.


    Videos:

    This article was originally published in blog: Penetration Testing Biometric System: Part II:- Remotel Attacks started by fb1h2s
    Comments 5 Comments
    1. demank's Avatar
      demank -
      Great post, i'm so interest to try it in my office.
      But i can't figure out exactly Biometric_Scanner.nse script, can you tell me?
      thx... great job
    1. dotcppfile's Avatar
      dotcppfile -
      That's really and I like the fact that Scapy is being useful as always.
    1. Th3Initiat3's Avatar
      Th3Initiat3 -
      Great paper, I assume the main vulnerability to this is that there is not authentication mechanism to test the trust of packets and there origin, but even if we could check using mac address as verification mechanism they still can be spoofed with scapy.

      I was wondering weather you have any ideas on how to best protect your software from this on the protocol level ?
    1. Th3Initiat3's Avatar
      Th3Initiat3 -
      Great paper, I assume the main vulnerability to this is that there is not authentication mechanism to test the trust of packets and there origin, but even if we could check using mac address as verification mechanism they still can be spoofed with scapy.

      I was wondering weather you have any ideas on how to best protect your software from this on the protocol level ?
    1. shr1503's Avatar
      shr1503 -
      nice post really awsome!!!
  • G4H Facebook

  • G4H Twitter