jakec / dec 2020
Burping. It’s that tradition your dad referred to as “polite in some cultures.” It’s the cornerstone of one of TV’s most hated characters. It’s the tool I’m learning about today to solve Santa’s latest troubles. His sleigh has been hacked and we’ve gotta recreate the attack to find out how to patch it.
Burp Suite isn’t just a single tool but a whole platform for web application testing. Today, TryHackMe is highlighting how hackable Internet of Things devices are with even a pretty elementary attack. What’s an IoT device? Basically anything that’s had “smart” prepended to it. Smart fridges, smart TVs, smart lights, they’re all Things in the Internet of Things. Some internet-enabled Things, like your smart phone, are probably pretty secure. But a lot are not. Remember yesterday how I said the internet wasn’t designed to be secure, it was just designed to work? Well, that’s the same internet that’s now part of your thermostat, your doorbell, or even your apartment locks. Remember yesterday how I also said there’s plenty you can do to make the insecure internet more secure? Well, manufacturers of IoT devices didn’t read that post.
As TryHackMe points out in their walkthrough today, the management console (usually a website you can connect to that lets you change settings on your smart device) for these Things often keeps their default login details. If you wanna log in to change the spin rate of your Smart Disco Mirror Ball, you don’t want to remember some arcane passphrase, you just want to type “admin admin” and go. So sometimes, it’s easy to guess them. Did you ever play with a garage clicker in the 90s? You could open them up and inside were a few dip switches that you could flick up or down which would program the frequency for your garage door opener. Every clicker needed a distinct frequency, otherwise you’d go to open your garage door and end up opening your neighbour’s door as well. Haha, wouldn’t that be funny. Definitely not a security flaw. I certainly didn’t spend hours as a kid playing with these switches until I stumbled on the frequency for MY neighbour’s garage door.
If I had, which I didn’t, I would’ve been using a technique called brute-forcing. Imagine you need to get through a wall, so you just keep running into it again and again until eventually you get through it. (Unless you’re Henry Cavill, The Superman, and you run through it the first time. But that’s too easy/glamorous.) Brute-forcing is like that: just try everything until you get it right. As a kid, I didn’t try a LOT of combinations to not find my neighbour’s garage door combination. If there were eight dip switches, that’s 256 possible combinations (each switch has two options, up or down, there are eight switches, 2^8 = 256). Not that many if you have a little time. And baby, in the days before Vine compilations, we had plenty of time.
What if your neighbour doesn’t have a garage door? Well, if you want to try brute-forcing, find the IP for whatever brand new smart device they’ve been bragging about and try the following attack. I mean, don’t, because I think this would constitute inciting illegal behaviour if you do? But follow along anyway.
Instead of trying every combination of dip switch to open a garage door, we’re going to try every combination of a handful of default usernames and passwords until we can log in to Santa’s sleigh. This form of brute-forcing is called a dictionary attack and it’s a large part of getting into places you shouldn’t. TV has done a good job of making bypassing authentication look cryptographical — in other words, someone “runs an algorithm” on an “encrypted key” and beep boop bing bong the password appears on the screen. Some encryption can be broken, certainly. And often, when a password goes into a system, it’s stored as a hash - an algorithmic jumble of letters and numbers - instead of the password itself, and there are HUGE tables you can download that match these hashes to their decoded passwords. But often, the fancy mathematical stuff is unnecessary when people are still so terrible at coming up with passwords. If you can just guess a lot in a short span of time, you might be good to go.
(This is why you should use a password manager to generate long, random, unique passwords for you.)
So we have Burp Suite. And we’re gonna do a dictionary attack. First, we change our proxy settings to make sure Burp will intercept all our traffic.
Then we try logging in. Hey look, Burp got our login request!
I spoke yesterday about GET requests. Here’s a POST request. Yeah, this is (part of) what it looks like behind the scenes when you log in to something. If a GET request is GETting parameters from a URL and then doing something based on them, a POST request is the client POSTing something to the web server. In this case, it’s login details, but when we uploaded that image/reverse shell code yesterday? That was also a POST request. Down the bottom we can see we’re trying to POST a username and a password.
Now we set our Payload Positions — basically the fields where our guesses will be inserted.
Then we define our dictionary in the Payloads tab. A payload in security terms is much like in warfare: the meat among the potatoes, the warhead in your ballistic missile. It’s the Good Stuff. Assuming this is a pretty poorly secured device that we’re attempting to hack, we can just make a few guesses for common default usernames and passwords.
Then we hit “Start Attack” and it will guess every combination of the words we put in. Once it's finished, it'll tell us all the ones that worked. In this case, it's username: admin, password: 12345.
And we're in.
Now that’s the magic of Christmas.