Lost password and brute force

Sunnysky86 · May 6, 2016

Hi,

i'm a newbye and i have this problem: at work i have a device configured with a password, i wrote it the first time i put in but now it didn't work anymore! Maybe my coworker changed it but nobody seems to know the new one. I have looked online and there isn't any reset button or procedure for it. The device is connected to windows seven with a serial port. Is there any chance to do a dictionary-brute force over a serial connection? I need to regain access to this device :sad: Please if you can help me...

Mr-Protocol · May 6, 2016

It would help to know what the device is. Make/Model/Manufacturer, etc.

digininja · May 6, 2016

Technically yes but without knowing a lot more we can't help. Loads of questions: Is it a common app, do you know the protocol it is using, do you have any programming experience, have you tried talking to the manufacturer?

i8igmac · May 6, 2016

Can you dump the password hash... boot up kali usb on the machine... all the tools are there...

many many years ago I did this with backtrack 2. The password dumping tools were located on backtrack

/pentest/windows/binary/passdump.exe

lots of cool binaries located in this directory, was fun uploading each file to a windows machine from meterpreter and see what each executable can do., I used to have a copy of all these binaries...

Sbd.exe was bad ass netcat clone if any one can concur?

I think kali has a windows-binary package in the repo

digininja · May 6, 2016

It is a device connected to a windows box, not a windows box as far as I can tell from the question.

Sunnysky86 · May 6, 2016

Device is a datalogger for temperature data acquisition, model 62D32, manufacter is Cryopak. The software used to interact with is called "Console Pro". There's an usb interface (serial port: COM1) where insert the datalogger and gain access:

<http://www.esis.com.au/Escort/EA-INT-USB.jpg>

I contacted manufacter but no answer (great support!). However from a generic manual about thier device:

Q: My password has changed, but I did not type a new one in; what is wrong?
A: The password prevents an unauthorised person from overwriting your data
There is no "back door" into the logger if you forget your password, so please
make sure no other person has access to your password and changes i
without your knowledge. If you are sure you have not reprogrammed you
password, you may have inadvertently changed it by entering the Set New
Password dialog (see Chapter 2, Programming the Logger), and hitting the
"OK" button, rather than the "Cancel" button. In this case the password has
changed to a blank password, and pressing “OK” in the Security Access
dialog will get you to the next dialog box, without having to enter a password
You can then set the password in the normal way.
Other possible reasons include:
1. The password within the logger has been corrupted. The software wil
attempt to reset the password back to the factory default.
2. You are experiencing communication errors. Please check with you
computer vendor to ensure your communication ports are configured and
functioning correctly.
3. The logger has corrupted configuration data, possibly as a result of the
electronics being subjected to an excessive electrostatic discharge o
exposure to high EM fields. The logger will require servicing.

Probably the password was changed...
So i'm stuck... I don't have any programming experience and I don't know what to do! :sad:

digininja · May 6, 2016

From what they say, it sounds like you'll need to get it serviced to reset the password.

If you wanted to try to brute force it you'd need to set something up to capture the communication between the PC and the device, see if you can decipher the protocol then write something custom to go through and do some kind of dictionary attack. May be relatively easy, may be quite hard depending on your skill level and the way the device works. I've just done this to work out how a Windows app talks to an RFID writer, there was no spec so I had to sniff the traffic then use educated trial and error to reproduce it. It wasn't too hard but it did take quite a bit of time and was very frustrating, especially trying to work out how they did a checksum on one particular command.

Sunnysky86 · May 7, 2016

From what they say, it sounds like you'll need to get it serviced to reset the password.

If you wanted to try to brute force it you'd need to set something up to capture the communication between the PC and the device, see if you can decipher the protocol then write something custom to go through and do some kind of dictionary attack. May be relatively easy, may be quite hard depending on your skill level and the way the device works. I've just done this to work out how a Windows app talks to an RFID writer, there was no spec so I had to sniff the traffic then use educated trial and error to reproduce it. It wasn't too hard but it did take quite a bit of time and was very frustrating, especially trying to work out how they did a checksum on one particular command.

I don't think i have enough skill for that.... However if i want to try step by step what can i use for capture data from pc and device?

Thank you for your explanation.

Mr-Protocol · May 7, 2016

If it's connected with a serial port, most likely it will be RS-232.

digininja · May 7, 2016

I've actually got a blog post waiting to be finished which details how I did my work.

Is it using pl2303 to do USB to serial? If so then I can try to explain. My method is probably a bit more complex than it needs to be and includes using a Linux host with windows running in a VM and then sniffing traffic with Wireshark and tcpdump. You could probably just do it with the latest Wireshark and Windows but in my case I couldn't get the pl2303 drivers I needed to use to play nice.

Sunnysky86 · May 7, 2016

Yes probably is a RS-232 serial (manufactor sells two type of interface: one with an usb connector and one with an DB9 connector usually associated with RS232). I disambled the interface and the main chio is FTDI 1435C GP170221 FT232RL.

From their website:

The FT232R is the latest device to be added to FTDI’s range of USB UART interface Integrated Circuit Devices. The FT232R is a USB to serial UART interface with optional clock generator output, and the new FTDIChip-ID™ security dongle feature. In addition, asynchronous and synchronous bit bang interface modes are available. USB to serial designs using the FT232R have been further simplified by fully integrating the external EEPROM, clock circuit and USB resistors onto the device.

The FT232R adds two new functions compared with its predecessors, effectively making it a "3-in-1" chip for some application areas. The internally generated clock (6MHz, 12MHz, 24MHz, and 48MHz) can be brought out of the device and used to drive a microcontroller or external logic. A unique number (the FTDIChip-ID™) is burnt into the device during manufacture and is readable over USB, thus forming the basis of a security dongle which can be used to protect customer application software from being copied.

The FT232R is available in Pb-free (RoHS compliant) compact 28-Lead SSOP and QFN-32 packages.

What's the best way to sniff traffic with this arrangement? I tried some softwares but no one seems to work...

digininja · May 7, 2016

Are you connecting through a USB port or old school serial D connector?

If it is USB then Wireshark can sniff USB traffic, I did it in Linux so don't know anything about doing it in windows but it will be well documented.

Sunnysky86 · May 7, 2016

Yes, it's connected through a USB port. I'll try Wireshark this monday! (In the meantime i'll read some info about it and RS232's protocol...). Thank you everyone for your support!

fugu · May 8, 2016

~~Just wanted to add a plug for the portpilot:~~

~~http://hakshop.myshopify.com/products/portpilot~~

~~in the hakshop. although I have not used it personally, It is a usb data logger, which you might consider if wireshark doesn't work for you.~~

Edited May 11, 2016 by fugu

Sebkinne · May 8, 2016

Just wanted to add a plug for the portpilot:
http://hakshop.myshopify.com/products/portpilot
 
in the hakshop. although I have not used it personally, It is a usb data logger, which you might consider if wireshark doesn't work for you.

It's not! It's a USB power meter.

Best regards,

Sebkinne

Sunnysky86 · May 9, 2016

Just wanted to add a plug for the portpilot:
http://hakshop.myshopify.com/products/portpilot
 
in the hakshop. although I have not used it personally, It is a usb data logger, which you might consider if wireshark doesn't work for you.

Thank you but Wireshark did the trick! :smile: