Buses, 802.11, and hilarity.

Ok. Just a short thing I noticed while connecting to “MoovManage” access point today on the bus.

I was sitting there, waiting for the laggy web auth thing to finish, and decided to have a quick look at what GET params I was sending. Sadly, I forgot to run a capture and harvest them, but I did notice that it gave away some interesting bits of data. ** See below, I got em! **

First off, one param was telling me about, and another Another parameter contained my MAC address in the format 00-00-00blahblah

There were various other “bits” sent, that looked a bit like cookies, but I quickly realized that those were likely just extra fluff sent by the app. There was also the original request I made (http://www.google.com/) and a redirect to unnamedbuscompany.com (obviously I am redacting some data!)

There was also a reference to port 3306… What runs on 3306? MySQL.. So I am beginning to wonder, should I reconnect later (with a different MAC address – I have 3 wireless interfaces, Macchanger, and some SERIOUS curiosity) and run a sniffer/MITM proxy to see what is going on? Could be all kinds of data leakage there… maybe even connection params to MySQL Server?

Now for the “ideas”. Those GET params… XSS? SQLi? Who knows! A persistent XSS in such an app would allow you to harvest all kinds of data I imagine, like people connecting’s MAC addresses, sites they requested (+ get params associated), and their “intranet” IP. You could also force redirects to ads, malware, or phishing sites – the application already has redirects in place, but using an XSS vuln to introduce a “new” redirect to “facebook.com” or “gmail.com” would be… Fascinating.

Just some random thoughts :) (Its morning and /dev/brain has not mounted fully…)

## Some time later ##

So I got curious. As we all do. So I ran an nmap scan, as I don’t enjoy sharing my network space with unknown devices.

Here be the results… With SSL certs and such redacted because. Well because I felt like it!

user@brokenhost:~$ sudo nmap -sS -sV -A -O -vvv

Starting Nmap 6.02 ( http://nmap.org ) at 2012-06-20 09:21 IST
NSE: Loaded 96 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Initiating ARP Ping Scan at 09:21
Scanning [1 port]
Completed ARP Ping Scan at 09:21, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:21
Completed Parallel DNS resolution of 1 host. at 09:21, 0.19s elapsed
DNS resolution of 1 IPs took 0.19s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 09:21
Scanning [1000 ports]
Discovered open port 443/tcp on
Discovered open port 22/tcp on
Discovered open port 53/tcp on
Completed SYN Stealth Scan at 09:21, 7.73s elapsed (1000 total ports)
Initiating Service scan at 09:21
Scanning 3 services on
Completed Service scan at 09:22, 13.30s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against
NSE: Script scanning
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:22
Completed NSE at 09:22, 26.50s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for
Host is up (0.0071s latency).
Scanned at 2012-06-20 09:21:50 IST for 49s
Not shown: 997 closed ports
22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.2 (protocol 2.0)
| ssh-hostkey: 1024 [REDACTED] (RSA)
53/tcp open domain dnsmasq 2.46
| dns-nsid:
|_ bind.version: dnsmasq-2.46
443/tcp open ssl/http thttpd 2.25b
| sslv2: server still supports SSLv2
| SSL2_RC4_128_WITH_MD5
| ssl-cert: Subject:


Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.13 – 2.6.32
TCP/IP fingerprint:

Uptime guess: 0.044 days (since Wed Jun 20 08:19:58 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=201 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

1 7.06 ms

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:22
Completed NSE at 09:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.56 seconds
Raw packets sent: 1073 (47.958KB) | Rcvd: 1032 (41.990KB)

So, it is some kind of embedded Linux box (Debian) running an unusual HTTPd, an odd DNS server, and a ridiculously outdated version of SSH. Which I am sure is probably exploitable.

I also would guess ARM or MIPS/MIPSEL architecture, though do not hold me to that, as that is just a guess. I do not think it is running x86. Further poking was not done lest laws be violated – looking at something is OK, but actually trying to break into it, is NOT OK. Hence, I did not bother search for an exploit or anything. I might analyse the results later and publish ideas on owning these things, but not now.

To be honest, I want to buy one of these devices to poke at it some more, would love to find some vulns in them. They are embedded devices, ergo sexy as fuck!

Ok, so on my return trip I captured the GET it made. Here it is, dissected…


&uamip=[GATEWAY IP] #
&uamport=3990 # How interesting, last time it was 3306… Perhaps random?
&challenge=1ae780936302d93e8a408936ab128209 # MD5 hash, have not cracked it… YET!
&mac=[MY MAC ADDRESS] # LOL, as if I was going to expose that ;)
&ip=[MY LAN IP ADDRESS] # 10.0.0.(removed)
&called=[ROUTER MAC ADDRESS] # Don’t track me bro…
&nasid=1082 # No clue what you are… YET
&userurl=http%3a%2f%2fgoogle.com%2f # Oh how nice. Thats where I was going :3
&md=584472E656ADD831B5D3060AA9B35E4B # MD5 hash, have not cracked it… YET!

So, I was wrong about the MySQL Server connection, but it DOES make some kind of connection, likely a “VPN” setup or something, or maybe that is the port my traffic exits the network via. I do not know yet.