Unser Kanal dreht sich rund um IT-Sicherheit, Hacking für die gute Seite und Sicherheitsschwachstellen in den unterschiedlichsten IT-Produkten. Wir teilen unser Wissen gerne und stellen unsere erzielten Ergebnisse anschaulich vor.
Von unseren „SySS Proof of Concept“- sowie den „SySS Tool Tip“-Videos bis hin zu Erklärvideos - bei uns sind immer interessante, neue Erkenntnisse aus der Welt der IT Security zu finden.
Wir, die SySS, sind Marktführer in Deutschland auf dem Gebiet des Penetrationstests und bieten zusätzlich auch Digitale Forensik, Red Teaming, Technisches Consulting, Live-Hacking und Schulungen an. Bei Fragen zu uns oder unserer Arbeit freuen wir uns immer über Nachrichten.
SySS GmbH
Schaffhausenstraße 77
72072 Tübingen
Germany
Tel.: +49 (0)7071-407856-0
E-Mail: [email protected]
www.syss.de
Geschäftsführer: Sebastian Schreiber
Registergericht: Amtsgericht Stuttgart / HRB 382420
Steuernummer: 86118 / 55809
Пікірлер
project not found. Deleted
If you are referring to the GitHub repository of our developed password recovery tool, this will stay private for some more time until more affected users have applied the corresponding security updates.
@@SySSPentestTV Which version of Eaton is affected?
@@SySSPentestTV I need to test my plcs. So can you share it in PM message?
@@PIDOtomasyon According to Eaton all easySoft software versions prior to V8.01 and all easyE4 versions prior to 2.02 are affected by the demonstrated security issues. Also see the corresponding Eaton vulnerability advisories: www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2023-1010.pdf and www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2023-1011.pdf .
@@SySSPentestTV Thank you for information.
Great skills you have. You can make a lot of money if you offer this service.
This is funny, how the manufacturers didn’t make a preventative measures to this exploit and only relied on praying that the internet doesn’t figure out a way to bypass it.
Cool video!
How did you know the first-fourth _id_byte?
It's the ID specified by the manufacturer, it can generally be found in the datasheet. There are also tables available that will show some of the more common ones. (Not often updated but really only the first 2 seem to ever really matter.)
Would this method work on a USB thumb drive that has been bitlocked?
Hi, wisst ihr ob die Sicherheitsschwachstelle bereits von Abus erfolgreich und sicher genug behoben wurde?
Thank you so much for this video. I've been able to replicate this almost up until completion. Except at the end once all is prepped and ready to go, when I launch the lpc_tpm_sniffer.py, I get "Unable to to connect to FTDI serial interface". Using most recent version of Ubuntu, and have removed the default ubuntu usb drivers, and install the d2XX drivers. Does the Ice Stick have to be in d2xx mode on both side A and B? Is there additional config not covered in the original thread? Any help is appreciated! Thank you!
Cool
Excellent work. Thank you very much. Nice idea with Almanac file :D It is clear, that device is not secure for professional use. However, it might be a reasonable (inexpensive) option for ordinary Joe willing to prevent his sensitive files to be stolen by some random thief or random person who simply found such pendrive.
then how to make secure pen drives or buy which is actually secure pendrive ?
No physical protections? No chip armour? Nothing? We just unscrew the SSD and brute it... amazing.
Klasse Beitrag und sehr verständlich erklärt 👍 Ein Erklär Video zu den Themen Red Teaming und Bug Bounty vs Pentest wäre auch interessant.
DPM - Doubting Platform Module
Does this work on WD password encrypted drives?
Hello My friend i get this errors when i try to install the extension java.lang.Exception: Extension class is not a recognized type at burp.Zm66.Zx(Unknown Source) at burp.Zm66.ZK(Unknown Source) at burp.Zmxm.Z_(Unknown Source) at burp.Zx7.ZU(Unknown Source) at burp.Zozo.lambda$panelLoaded$0(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) at java.base/java.lang.Thread.run(Thread.java:1589) can you help me?
kzread.info2A3f3qZSz7s What is this error? Can you help me ?
does this work via the usb cable? what software are you using to ping? work on windows 10?
This attack works via the Ethernet connection using our developed Nmap script "slig" (github.com/SySS-Research/slig). The tool used for pinging the device is the iputils tool "ping".
This is why im wanted in multiple states and countries.
Interesting
Did anybody try to hack USB-R recordable flash drive? kzread.info/dash/bejne/eZeJtK-PfZuckaw.html
Great work!
could you show a diagram with the pinouts of the icestick?
You can find the pinout in our GitHub repository for the "iCEstick LPC TPM Sniffer" ( github.com/SySS-Research/icestick-lpc-tpm-sniffer ).
Look like new verison Logo 8 ES4 has closed 10005 port,but still got 135 port opened but when we try this new port all user and password are empty
Interesting video!
Für mich wäre jetzt spannend was da genau im Prozess gepatched wird.
7405BB01000000 😏
@@SySSPentestTVwoher wisst ihr mein Passwort?
What cables/fly leads are you using to connect the J1 on the iCEstick to the TPM chip?
Some jumper wires and a simple custom-made breakout board are used. You can find more information in our GitHub repository for the "iCEstick LPC TPM Sniffer" ( github.com/SySS-Research/icestick-lpc-tpm-sniffer ).
When I consider the password, port 10005 is closed, but when I don't consider the password, the port is open.
أواجه مشكله في قرأة ناند رقم 29f64g08cbaba يعطى أخطاء فى مرحلة verify عن طريق مبرمجه t56 ما الحل وشكرا
I love that no one comments on the very clear Back To the Future reference.
Hi, is there any other pen drive with a much better protection that this one? which would it be? thank you
Yes. It is the USB-R recordable flash drive. kzread.info/dash/bejne/eZeJtK-PfZuckaw.html It has protection from unauthorised access and from any sorts of tampering such as ransomware, viruses or targeted attack.
How many meters does it reach?
Switch On The Lights 💡
Gang Force 2010
applause 👏🏼
💥
“So We Need Sum Band-Aids?”
is this works in V8.3
mine is brand new and the port 10005 is not present so i dont think it work
Is there a way to just disable passwords? I'm only using the plc's in a local network and it's a pain to have to enter that pasword over and over again.
Hi, seems like Verbatim released some firmware update, could you look at it and tell what changed ?
if you set a password with 12 digits. it means 10^12(1 trillion) combinations. how you managed to pick 1 trillion combinations in a couple of seconds? I see you have 10 million candidates per second. it means to peek 1 trillion combinations you need 1T/10mil = 100.000 seconds or 24 hours... or my math is wrong?
Your math is right. In your example, checking all 12-digit passcodes would take 100.000 seconds, which is about 27 hours, 46 minutes and 40 seconds.
Good to know. In case you loose your device you have ~24 hours to make sure your sensitive data is no longer sensitive 😁
then how to make secure pen drives or buy which is actually secure pendrive ? like one one can crack
Thx bro
I only stumbled across your demo of this today, and wanted to make a comment should others find this video. Your title seems to imply that this is an attack of the Logitech R400, when in fact, it's really the Logitech dongle that has to issue. If people would stay away from the R400 because of this flaw, it would be a mistake. And just so you know, the firmware of the Logitech dongle has long since been updated to patch this vulberability. Also, it would have been helpful to viewers, if you had mentioned the version of the firmware at the time of this recording.
Brand new R400 are still vulnerable
Thanks for explaining. It's 2023 now, is there a firmware update for the r400 (or the dongle) that solves this issue?
HEY I NEED YOUR HELP, I WAS ABLE TO CLONE A HARD DRIVE BUT WHEN I BOOT THE DRIVE LOAD FILE AND EVERYTHING, SHOW ME A SIGN FAILED AUTHETIFICATION
Can the software to hack into it be downloaded and is it safe to use ?
Very interesting. ReinerSCT Authenticator AFAIK is German-made hardware TOTP that allows "syncing" of time via QR. It has to have that mechanism (e.g. after battery depletion) Can you check if your exploit works on it as well?
I read the CVE. Did Verbatim really just ignore your disclosure like nothing happened??
Wo kann man das Cracker Tool herunterladen, um zu prüfen, ob mein Verbatim Secure ebenfalls anfällig ist?
Das demonstrierte Softwaretool ist modellspezifisch und wurde bisher nicht von uns veröffentlicht. Sollte Ihr Modell ein Verbatim Keypad Secure #49428 (64 GB) sein, das für unsere Analyse verwendet wurde, ist es definitiv anfällig für den gezeigten Brute-Force-Angriff. Ob das Modell #49432 (128 GB) des Verbatim Keypad Secure ebenfalls dieselben Schwachstellen wie das Modell #49428 besitzt, haben wir nicht explizit geprüft. Die Wahrscheinlichkeit hierfür ist jedoch sehr hoch. Der Hersteller Verbatim sollte dazu eine definitive Aussage treffen können. Auf der Verbatim-Internetpräsenz sind beide Modelle aktuell nicht mehr aufgeführt.
@@SySSPentestTV Ich habe die ArtikelNr. #53402 (Verbatim Store 'n' Go Secure SSD - Keypad) und wollte prüfen, ob dieses Modell anfällig ist. Ich habe das Gerät geöffnet und gesehen, dass es ebenfalls eine wie im Video gezeigte entfernbare EMMC verwendet.
Verbatim Store 'n' Go Secure SSD (#53402) haben wir nicht getestet, aber das Modell Verbatim Store 'n' Go Secure Portable HDD (#53401), das ebenfalls für den demonstrierten Brute-Force-Angriff anfällig ist (www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-005.txt ). Die Wahrscheinlichkeit ist auch hier recht hoch, dass die SSD-Variante ebenfalls dieselben Schwachstellen bestizt wie die HDD-Variante.
Verbatim Store 'n' Go Secure Portable SSD ist ebenfalls von den vier Schwachstellen betroffen, die wir bezüglich des Verbatim Keypad Secure finden konnten. Die entsprechenden Security Advisories haben wir heute veröffentlicht: www.syss.de/pentest-blog/schwachstellen-in-verbatim-store-n-go-secure-portable-ssd-syss-2022-043/-044/-045/-046
Eigentlich würde man doch erwarten, dass sowas heute nicht mehr möglich sein darf. Man sieht einfach wieder und wieder, dass man keine Crypto-Versprechen auf Verpackungen glauben darf, bevor die nicht sorgfältig überprüft worden sind. 👍
Hello, I am trying to recover a dump file from an MKE02z64, do you think it is possible using this method? THX!
i have CycloneMax so far
Erschreckend einfach 😯. Aber das muss dann schon ein sehr gezielter Einbruch sein, der entsprechend viel Vorbereitung erfordert.
Handy heimlich für ein paar Sekunden an die Hosentasche halten reicht und ist machbar, wenn man geübt ist.
It doesnt work, it says 10005tcp closed stel
Boa noite. Como descobrir a senha no windows
Könntet ihr in Zukunft die Schrift in euren Bildschirmaufnahmen größer machen, sodass man es besser lesen kann?
Ja.
Can we use this for out of network rdp's ?