Penetration Testing Biometric

spotlessstareΑσφάλεια

29 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

72 εμφανίσεις


Penetration Testing Biometric
System


By

FB1H2S aka
Rahul

Sasi

http://Garage4Hackers.com

http://null.co.in/

http://nullcon.net/

Who am I ?

What is this paper about ?


I am an Info Security Enthusiast
http://fb1h2s.com


Rahul Sasi aka FB1H2S working as a consultant .

http://www.aaatechnologies.co.in


Active participant of Null and other computing
groups.


A member of Garage4Hackers.


http://www.Garage4Hackers.com


What this paper contains ?

http://null.co.in/

http://nullcon.net/

Explaining the Risk?



Finger print deployed every where, attendance and door management.


Advantages and Disadvantages of Bio
-
systems.


The devices hold critical information.


http://null.co.in/

http://nullcon.net/

Employee
Details

E
mployee

Attendance

Employee Salary


Why to audit them ?


http://null.co.in/

http://nullcon.net/

I just Hacked into
Biometric Attendance
Register and Changed
attendance and salary :D
of mine and my @#$$

Student / Employee

Professor / Not so good co
-
worker

I am marked 10 days absent ,
what the |
-
|3ll is happening!

Classifying the Attacks


Local Attacks:


Finger Print Sensor


USB Data Manager


Remote Attacks:


Remote IP Management


Back End Database


Finger Print Manager (Admin Interface)


http://null.co.in/

http://nullcon.net/

Biometric System Attack Vectors

http://Garag4Hackers.com

http://FB1H2S.com/

Biometric Systems Common
Applications


Reliable attendance managing system.


Biometric Finger print guarded doors, implemented for keyless secure
access to doors.


http://null.co.in/

http://nullcon.net/

Attacks: The Non Technical part

http://null.co.in/

http://nullcon.net/

Local Attack: Finger print sensor





Finger print scanners read input using two
methodologies:


1) Optical scanner


2) Capacitance scanner


Finger print recognition systems are image matching
algorithms



Cloning a duplicate finger print and cheating the
image recognition algorithms




http://null.co.in/

http://nullcon.net/

Steeling a Finger Print

http://null.co.in/

http://nullcon.net/


Your finger impressions falls any were you
touch. Ex: on glass



My Approach: Finger Print Logger


Biometric sensor looks like this.







Placing a thin less refractive index transparent
object in front of the sensor and logging finger
prints.

http://null.co.in/

http://nullcon.net/

Building Finger print logger


Refraction:





Use Less refractive index thin transparent sheet




Log the victims fingerprint using the finger print
logger


http://null.co.in/

http://nullcon.net/

Steps Building Logger

http://null.co.in/

http://nullcon.net/

Special Points to be Considered

http://null.co.in/

http://nullcon.net/

Reproducing a Fake Finger print:


http://null.co.in/

http://nullcon.net/

Local Attack: USB Data Manager.



Biometrics devices have inbuilt data storage, were it stores the Finger
print and user information.


USB support in order to download and upload finger prints and other log
detail to and from the device.


Most of the devices do not have any sort of protection mechanism
employed to prevent data theft, and those which uses password
protection often is deployed with default password.




http://null.co.in/

http://nullcon.net/


Attacks: The Technical part


http://null.co.in/

http://nullcon.net/


Remote Attack Vectors.






http://null.co.in/

http://nullcon.net/

Remote Attack Vectors



IP implementation for data transfer


Biometric Management Servers


Biometric Admin/Interface (Web Based and
Desktop based )


Back end Database


Man In The Middle Attacks


http://null.co.in/

http://nullcon.net/

TCP/IP Implementation for Remote
Management:

http://null.co.in/

http://nullcon.net/

Remote Administration Implementation



Issues


The remote administration capability of this device lets
biometric servers to authenticate to it and manage remotely.


We are completely unaware of the management protocol
used as the program is embedded in the Biometric MIPS
device.


Solutions


The admin application knows everything about the remote
device so if we could get a copy of that application it will tell
us everything we want.

http://null.co.in/

http://nullcon.net/

Example Attack

Attacking the remote management
protocol Example.


Situation:

The remote administration implementation is unknown.


Foot printing:
The label on the Biometric device will reveal which
company has marketed or build that product.


Download

a copy of remote management software from vendor site


http://null.co.in/

http://nullcon.net/


Example Attack

Reverse Engineering the Application


http://null.co.in/

http://nullcon.net/


Reflector used to disassemble the .Net application


Detected TCP/IP setting of device used to
communication, It uses port 4370 to communicate


Application uses COM objects which
interacts with Device


IDA used for dissembling the COM objects





Disassembling Import function shows the
communication details


http://null.co.in/

http://nullcon.net/

Example Device Command extracted


Commands to set the device time remotely


http://null.co.in/

http://nullcon.net/

Auditing Back End Database



From disassembling we were able to find local database
password file and encryption key hardcoded in the
application.


http://null.co.in/

http://nullcon.net/


Biometric Admin/Interface (Web Based and
Desktop based )



Another possible point of attacks are on the admin
interface, these are either desktop based or Web
based.


Desktop based applications are common and the
possible chances to interact with them require local
privileges on the Biometric server.



But web based admin panels could be attacked form
outside.


So an application check on those modules for
application vulnerabilities could also help.



http://null.co.in/

http://nullcon.net/


Nmap Script: Detecting Biometric Devices on
Network:


How to detect these device on network for attacking?

Nmap Script Output.

http://null.co.in/

http://nullcon.net/

Attack Videos

http://null.co.in/

http://nullcon.net/

Conclusion


The risk and vulnerabilities associated with
Biometric Device are explained.


This shows the necessity of including these
devices to the scope of a Network Audit.


http://null.co.in/

http://nullcon.net/