6th No-Spy Conference

Last friday Florian and me attended the 6th No-Spy Conference in Stuttgart, Germany. We gave a talk about surveillance and censorship on modern devices in North Korea and discussed various aspects with the attendees. The atmosphere was very welcoming and we had some nice discussions about various topics which allowed us to better clarify some things. The slides are available here.

Thanks to the organizers for having us!

Continue reading

KNXmap: A KNXnet/IP Scanning and Auditing Tool

Users of the KNX, a standard for home automation bus systems, may already have come across KNXnet/IP (also known as EIBnet/IP): It is an extension for KNX that defines Ethernet as a communication medium for KNX which allows communication with KNX buses over IP driven networks. Additionally, it enables one to couple multiple bus installations over IP gateways, or so called KNXnet/IP gateways.

In the course of some KNX related research we’ve had access to various KNXnet/IP gateways from different vendors, most of them coupled in a lab setup for testing purposes. The typical tools used for such tasks are ETS, the professional software developed by the creators of KNX (proprietary, test licenses available) and eibd, an open source implementation of the KNX standard developed by the TU Vienna.

Continue reading “KNXmap: A KNXnet/IP Scanning and Auditing Tool”

Continue reading

Implementing an Obsolete VPN Protocol on Top of HTTP: Because Why Not?

Recently I’ve started some research on MikroTik’s RouterOS, the operating system that ships with RouterBOARD devices. As I’m running such a device myself, one day I got curious about security vulnerabilities that have been reported on the operating system and the running services as it comes with tons of features. Searching for known vulnerabilities in RouterOS on Google doesn’t really yield a lot of recent security related stuff. So I thought, there is either a lack of (public) research or maybe it is super secure… 🙂

Not really satisfied with the outcome of my research about previous research one day I thought I give it a shot and just take a quick look at the management interfaces, mainly the web interface. As it turns out, there could be a third explanation for the lack of security related search results on Google: obfuscation. The communication of the web interface is obfuscated, most likely encrypted, which may discourages researchers that just came around to search for low hanging fruits. Continue reading “Implementing an Obsolete VPN Protocol on Top of HTTP: Because Why Not?”

Continue reading

Discover the Unknown: Analyzing an IoT Device

This blog post will give a brief overview about how a simple IoT device can be assessed. It will show a basic methodology, what tools can be used for different tasks and how to solve problems that may arise during analyses. It is aimed at readers that are interested in how such a device can be assessed, those with general interest in reverse engineering or the ones who just want to see how to technically approach an unknown device.

This post will most likely not cover any vulnerabilities per se. However, it outlines weaknesses which affect a wide range of IoT devices so various aspects are applicable to other devices and scenarios.

Continue reading “Discover the Unknown: Analyzing an IoT Device”

Continue reading

Hacking 101 Training at TROOPERS16

This year’s Hacking 101 workshop at TROOPERS16 will give attendees an insight into the hacking techniques required for penetration testing. These techniques will cover various topics like information gathering, network mapping, vulnerability scanning, web application hacking, low-level exploitation and more.

During this workshop you will learn, step by step, a testing methodology that is applicable to the majority of scenarios. So imagine you have to assess the security of a system running on the Internet. How would you start? First, you need a good understanding about the target, including running services or related systems. Just scanning an IP will most likely not reveal a lot of information about the system. The gathered information may help you to identify communication relations of services that could include vulnerabilities. A brief understanding of the target and it’s related systems/services/applications will make scanning and identifying vulnerabilities a lot easier and more effective. Then, the last step will be the exploitation of the identified vulnerabilities, with the ultimate aim to get access to the target system and pivot to other, probably internal, systems and resources.

So if you are interested in learning these techniques and methodologies, join us at the TROOPERS16 Hacking 101 training! Attendees should have a brief understanding of TCP/IP networking and should be familiar with command lines on Linux systems. Also, being familiar with a programming/scripting language is considered useful.


Continue reading

Cisco and the Maintenance Operation Protocol (MOP)


this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It’s old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don’t know about it. Even various hardening guides we’ve seen don’t mention MOP at all.

Continue reading “Cisco and the Maintenance Operation Protocol (MOP)”

Continue reading

KNX Support for Nmap

Hi folks,

our home automation research, especially with KNX, is still in progress. As part of this research we’ve implemented various tools to easy the process of identifying and enumerating KNX devices, in both IP driven networks and on the bus.

Lately we’ve written two Nmap NSE scripts to discover KNXnet/IP gateways. These allow everyone to discover such gateways in local and remote networks and print some useful information about them. One of them follows the specification to discover gateways by sending multicast packets, where all devices on the network must respond to. Due to the specification of KNXnet/IP this process is rather non-invasive because only a single UDP packet is needed to discover multiple gateways. The other script allows to identify gateways via unicast connections by a slightly different message type, which allows discovery over e.g. the Internet.

The scripts are now publicly available and will (hopefully) be included in Nmap soon.

Currently we are working on a tool which allows to enumerate KNX devices on the bus either from an IP driven network over a KNXnet/IP gateway or directly on the bus. Additionally information about the discovered devices included in the bus system will be extracted, e.g. what kind of device it is a sensor or an actuator.

It is planned to be released soon, so stay tuned 😉

Continue reading

GitHub Enterprise 2.0.0 Fixes Multiple Vulnerabilities

Recently we had the pleasure to take a look at GitHub’s Enterprise appliance. The appliance allows one to deploy the excellent GitHub web interface locally to host code on-site. Besides the well known interface, which is similar to the one hosted at github.com, the appliance ships with a separate interface called the management console, which is used for administrative tasks like the configuration of the appliance itself. This management interface is completely decoupled from the user interface.

During our assessment we focused on the management console where we found several vulnerabilities (others may have found them, too). On November 11, 2014 GitHub released a security advisory which included the most critical findings that have been fixed in GitHub Enterprise 2.0.0. Because the advisory doesn’t include any detailed information, we will discuss some of those vulnerabilities in detail.

Continue reading “GitHub Enterprise 2.0.0 Fixes Multiple Vulnerabilities”

Continue reading