Wednesday, December 12, 2012

Silent Install Of Shoretel Communicator without Reboot

Here's how to install Shoretel Communicator 12.3 silently, remotely, and without an automatic reboot.

Download the communicator install from your HQ server.

Please note that Communicator will not work properly until the PC has been restarted. I'll have to check into that later I assume it just needs a service restarted.

Here's the entire script I wrote up.
1. We do a check to see if it's a x86 or x64 PC, we get that from the SystemInfo command.
2. Then we set the appropriate path using the variable spth.
It's a bad idea and it will end badly for you. I ALMOST made that mistake, but I have the good habit of re-reading a script one more time before I execute it. Saved my bacon.

3. Determines if Communicator is already installed, then either forks it to the install section or the end function.

The install command line to get a silent non rebooted install of communicator is as follows:

setup.exe /S /v"/qn REBOOT=reallysuppress"

now it's an installshield that's wrapped around an MSI so the switches are split.
/S and /v are for the installshield setup. /S is Silent /v is variable to pass to the msi installer.
You can pass multiple variables / switches to the MSI by enclosing them in " ". Notice there is no space between the /v and the ". Spaces inside the " " are okay.

Here's the script:

@echo off
systeminfo | find /i "System Type" | find /i "X86-based PC"
if %errorlevel% == 0 set spth="C:\Program Files\Shoreline Communications\ShoreWare Client\Shoretel.exe"
Echo Checking System Type (x86 vs x64)
systeminfo | find /i "System Type" | find /i "X64-based PC"
if %errorlevel% == 0 set spth="C:\Program Files (x86)\Shoreline Communications\ShoreWare Client\Shoretel.exe"

Echo Checking if Communicator is already installed.....
if exist %spth% goto end1
if NOT exist %spth% goto install

echo Installing Shoretel Communicator
\\fileserver\installs$\ShoreTel\setup.exe /S /v"/qn REBOOT=reallysuppress"
echo Installation Finished

echo Shoretel Communicator is already installed.
ping -n 5 > nul

Psexec or use your favorite method of pushing out an install and you're golden.

Wednesday, October 3, 2012

iDRAC in the Wild

iDRAC is Dell's remote management feature. It comes in 2 flavors Basic and Enterprise. Like most things it comes with a default user name and password combo (root calvin). Unfortunately it does not require you to change it before it becomes enabled. So you can have iDRAC run with the default user and pass.

Well obviously that's not good.

Dave Kennedy recently made a post about using this during a penetration test. Blog Post at Trusted Sec
The scanner he wrote is the best part.

With the Enterprise version you get a virtual console and the ability to load virtual media to boot from. So load up your favorite live cd reboot and get pwning.

So I thought to myself, well I wonder if people have this default configuration but with a public address, that could cause all kinds of problems.

They do, and there are many of them with the default login from the small amount of searching I've done.

The biggest  problem I see, aside from the obvious threat to your entire network, is that someone could launch a live cd, setup a temporary server, do what ever evil deeds need done then reboot back to the normal boot device and all evidence is gone. What a fantastic jump point to attack some other network. Need a server for about 20 minutes to drop some files and want to make sure no evidence remains after that? iDRAC is the way to go.

Google Search : intitle:"Integrated Dell Remote Access Controller 6 Enterprise"
Shodan Search : 2.6.24-ami (Just one example)

Tuesday, September 11, 2012

DIY Under the Door (MULE) Tool

There's been a lot of dust kicked up over this type of tool. It seems to be a coveted item for some reason. I don't get it personally but I saw it and I made one. I think I did a pretty solid job and it works perfectly.

I picked up a 6' rod of 3/16th's steel at my local hardware store. That sounds like a lot but I didn't have to trim any of it.
I got some string from the same store.

Total Cost: about $8

I just used a large pair of channel lock pliers and my hands to make all my bends. No special tools required.

You have to use some caution making the bends as if you make a bend too sharp you're going to have a pretty rough time getting it straightened back out.

Here it is in full glory:
The Under The Door Tool (MULE)
Here's some pictures with measurements:
From Top of the Lever Catch to the Bottom of the Curve 42"
Proof it's actually 42"
Note that the doors I tested these on have the handles at 41". That may not be the case for your locale, get a tape measure and go get some weird looks, find an average that works for you.

From shaft to handle 14"
 The hoop, I didn't have any accurate measurement on the angle I just kinda guessed knowing that I needed to keep the handle away from the door so I could operate it but also needed to make sure the angle wasn't too wide so that the top where the string attaches would actually come back into contact with the door. The about a paint can estimate from darksim905 lockpicking seems to be about right, I just shaped it by hand but it seems to have worked out.

4.5" for the handle.
I've found it's a lot more comfortable for me to actually hold the whole handle instead of trying to put my hand through it to hold it. Adjust for your hand size / comfort.

Just over 6" for the top
I would like to note here that there is a design flaw. The loop where the rope attaches to needs to have it's lowest point nearest the door so the rope stays in place. Where the string is attached now should be the lowest point in the hoop, perhaps more of a triangle design, or something to hold it there. As it stands right now the rope has too much room to travel and, as you will see in the videos below, can cause it to miss the space between the door and the handle.

End of the Rope 5'
The 5' rope is a completely arbitrary number, seems to be about right though. Maybe a little shorter would work just as well. I do need to find another material and this is already starting to show signs of wearing where it scrapes against the bottom of the door when pulling to activate the handle.

Here's 3 videos of it in use. I've included the fail videos to dispel the theory that this is magic and everyone gets it on the first try. I hate videos that only show things working, you learn nothing from things working, you learn from things not working. It's not a complicated tool, but there are some caveats.

In this video you see what happens when your rope isn't at the point closest to the door, hence the redesign needed for the loop where the rope connects to more of a triangle.

In this video you see what happens if you don't keep control of the rope. It gets wound around the tool and then you can't get it over the handle.

And finally, victory. Like I said, not an overly complicated tool, but there are some things you need to keep in mind. The reason I had such a difficult time maneuvering the tool under the door is that this particular door has about half the space that the rest of the doors have between it and the floor.

Thursday, August 30, 2012

Tru-Bolt Alarmed Padlock

So while I was out picking up some material for a project I happened to run across this padlock.

I thought to myself, well, it has an unusual key, it has a tamper alarm, it's about $12... I need to play with this right now.

After reading the write up it has on it's packaging I was very excited to begin attempting to defeat this lock.

Here's what Tru-Bolt has to say about it's product:

This is the keyway and key, not much room to get a pick in there.:

I thought that perhaps I had found a decent lock with a novel idea at a decent price.

This is what happened when I opened it the second time:

I turned the key and then the whole lock plug came out.

This here is the only thing that holds the lock in place:

The ENTIRE security of this lock is defeated by this poor design
It's not tapped and threaded to lock it in place, it's not even glued in place, nothing, just rammed in there. Here's the corresponding  spot on the lock where it gets inserted:
That's not a particularly deep drilling point, it doesn't mushroom out at the top, it's actually tappered to a point at the lowest spot. There's NOTHING to actually keep that pin in it's place. Since that's the ONLY thing holding the lock plug in place that causes a bit of a problem.

I was pretty disappointed at that moment, this intriguing challenge ruined because some knucklehead didn't think about securing that pin.

Spirit bent but not broken I carried on with the dissection of the lock.

There is still the actual lock and the alarm.

Since the lock itself is essentially useless I put that on a back burner for later and went about finding out how this tamper resistant portion worked.

Let me start by saying that 110db (if that's actually how loud it is) is pretty damn loud. Ear splitting "OMG the earth is ending" loud. Needless to say the novelty of it going off did not extend to my family while I was playing with it. It was suggested that I make it stop doing that if I were to continue to occupy the house.

Here's the internals of the alarm.

It's really really loud.

Here's the bottom housing of the lock. It only holds the speaker, the contacts there connect to the battery pack and electronics that are housed in the lock body. It's attached by 2 screws that are accessible when you remove the shackle.


Outside, also the bottom of the lock.

Here's the actual electronics:

This is the battery pack, housing for the circuit board, and contacts that connect to the speaker. It's held in place by a large O ring that is pressed into a groove around the battery pack device and the lock body. This also helps weather proof it.
Battery Pack

Other side of the battery pack

Bottom of the circuit board on top of the battery pack

Another angle
Here is the ball for the switch that either enables or disables the alarm, it's a simple contact switch housed in a rubber / silicone housing inside the lock, above the battery pack.

As you can see here the shackle has a recessed area on one side. If you insert it with the recessed area in the hole with the switch the alarm is not active. The contact is not pressed, the circuit is open. If you insert the side that does not have the recess cut the ball is pressed into the contact and the circuit is closed and the alarm is then active.

Here's the lock and the part the interacts with the shackle to prevent it's unintended removal from the lock:

Insert the key and turn and the little wing there moves out of the path of the groove on the outside of the shackle.

On the product package it touts that the alarm has an "Anti-muffle design: alarm sound can not be concealed"

That, friends, is a lie.

BEHOLD!!! My magic sound dampening putty

It's actually just magnetic silly putty, but it works really really good.

                                                       Apply it to the lock as shown:

Once this is in place that lions roar of an ear shattering sound is reduced to a kittens squeak. It's completely tolerable. More along the lines of a kids toy buried under some stuffed animals than a rampaging 110 db alarm.

Part of the reason this works so well is that they've weatherproofed the lock so well to keep the internals dry. The only place loud sound can get out is at the vents on the bottom. VERY minimal sound can escape through the rest of the lock. Had they done a poor-er job of making it water tight you wouldn't be able to muffle it as well and that 110 db would be leaking out of everywhere.
They did one thing right, and it makes the lock worse.

I would feel comfortable picking this lock on a shed in someone's back yard while they slept in their house with the putty over the lock, there's no way they would hear it.

I haven't tried it yet, but I bet submerging the vents in water would also muffle the sound greatly. I also have an idea about using a paper clip to press against the speaker or puncturing the speaker, thus rendering the alarm function null and void. I'll do that later, after I'm done with the other experiments.

Alright so we now know we can muffle the sound. But what exactly does it take to set off the alarm, how sensitive is it? Well if I knew more about circuitry I could probably tell you. If anyone can give me some insight on the components on the circuit board that would be awesome, just leave something in the comments.

As it stands all I can do it just hit and shake the thing to see if it would go off. Given the lack of support I was receiving that night in my journey towards knowledge (did I mention that alarm is REALLY loud??) (Really really loud) (DAMN that thing is loud) I had to rig up a visual method to find out if the alarm was being tripped.

I got an old LED, a 9V battery connector, and some electrical tape and rigged myself up a visual alarm that would light the LED when the alarm is triggered.

Here's the video of me smacking it with a screw driver. Not very elegant, but I couldn't set the thing off by just shaking it in my hand, I had to hit it with something:

You actually have to smack it pretty hard, several times, to get it to go off, and it's kind enough to give you a 3 beep warning before it actually goes off. When it does go off it triggers the alarm for 10 seconds, then it automatically resets itself, I assume to save batteries.

So there you have it.

I have yet to get intimate with the lock itself but I hope that at least one part of this padlock is worth it's salt. As it stands I wouldn't use this thing to guard anything I considered valuable. I'm fairly certain if you stuck any key in the lock, or a sturdy tension tool, and turned it the pin holding the lock in place would give out and the whole thing would just fall apart.

I'll update this when I've laid bare the secrets of the lock itself.

Tuesday, August 21, 2012

Master Lock #3 Padlock teardown and the Peterson Silver Bullet Bypass

I don't own many bypass tools. To be exact I own two, one of my own making and the Peterson Silver Bullet for Master Lock Padlocks.
I picked up the Silver Bullet at Defcon from the Merch area, it looked deceptively simple from the example lock and demonstration. I just so happened to have a #3 padlock I had brought with me so I bought it.

I spent the next several days trying to figure out how in the hell to use the damned things. I read the directions a few hundred times, I looked online and all I saw was a lot of videos showing how easy it was and descriptions of "you just slide this one in, press down, then slide the other one in and press down".

I could not get it to work.

Furthermore there was nothing online that showed exactly how it worked, what it moved, and what the lock looks like inside.

So I decided to tear my lock apart and take a look for myself and see exactly what the hell I was supposed to be doing in there.
It's a #3 it got a bit ground off
So these here are the bypass tools, one marked A (shorter) and one marked B (longer). I've added a bit of heat shrink as a make shift grip because these are very thin and are hard to hold onto if your fingers are sweaty, also after a few hours of trying to get these to open the lock my fingers were getting sore from the edges of the metal.
Peterson Silver Bullet Bypass w/ "custom" grips

Here's the lock with the face and the unimportant plates removed.

This is what the "unimportant" plates look like. The inside shape is identical on all of them. The ones near the bottom (where you insert the key) of the lock are smaller on the outside to accommodate the blue plastic "Master" wrap the locks have on them.

This is the lock cylinder. Nothing fancy, just a 4 pin setup with no security pins. The back has a protrusion that when the sheer point is reached and the plug turned interacts with a post that moves the locking plates and releases the shackle.

This is the padlock without the plug. Finally I was able to see what was going on in there.
Outlined in Yellow are the locking plates, Red is the post that rotates to move the plates and release the shackle
                                     Here's a larger picture of the internals of the padlock.

                                               This is what the locking plates look like

You can see the scratches where I've been using the bypass on this one.

                                               So this is how the bypass actually works
This is with the A bypass inserted. Now normally you would slide this in while pressing the pins up in the lock to be able to access this, then you have to find where the locking plate contacts the post and press, it will move out of the way without a lot of pressure.

This is with both A and B bypass tools in their proper position. Bypass B tool has to reach the second locking plate which is about 2 plates further down than the first locking plate. Once the A tool is inserted properly it moves the locking plate which also reduces the opening available to get the B tool into it's proper position.

                     Here's some more pictures of the locking mechanism and post.

Post, there is a 3 stamped in the the middle

Side View, when turned the sides contact the locking plates and press them against the springs

Top, furthest from where key is inserted into the lock.

Lock with Top Plate removed, this is the locking plate that the B tool interacts with
Lock with Top Plates removed, this is the plate the A tool interacts with

Here are the 4 plates that make up the locking mechanism for the shackle

So that's it. The mystery of how the Silver Bullet Bypass tool actually works is solved.