Matt, not only the content of your videos is always entertaining, but I really like the attention you pay to make your screen readable by zooming in. Truly commendable!
I guess mine did take the first step towards that by manipulating date and time in bios before I realized to lock it down (at least slows them down). 😁
I saw security cameras (or rather a setup with a box to which cameras connect into) which writes and overwrites video on disk according to its realtime clock timestamp. And it is also uses plain NTP without even an option to use secure NTP. It also sends everything back into China which is "justified" by them making an app for smartphones from which you can push buttons and get access to your data, because there is no other way to just get it from the box even if you are on the same network with it, but I digress :)
I don't think this is required for access control systems. My neighbour had a fancy system installed, they went on holiday and someone robbed them of everything. All doors and gates were opened and no alarms went off. I mentioned to them in passing the value of old school lock and keys and he agreed.
Those are almost always an insider threat... Meaning that the security company or someone who works with them are the burglars.. Have your friend investigate the company its affiliates and employees past and present.
Go look at how this works. You literally have to send NIST a letter. They return a symmetric shared key you have then to install on your systems. That's not viable. Just because you have to keep that symmetric key really secret.
They are not as simple and elegant as just plain DNS over any other transport, which can be TLS but it can be anything else. Under Linux with GNU libc, you can edit /etc/resolv.conf (and make sure that nobody else edits it, dhcpcd is the first suspect) adding `options use-vc` line, which means that every process who calls to standard `getaddrinfo` would make DNS connection over TCP rather sending UDP packets. After that you just set up stunnel that will listen on localhost TCP port 53 and connect to 853 port of DNS-over-TLS supporting server. That's how easy it is, you don't need any DNS-specific code, you just treat it as any other plaintext protocol that needs to be wrapped into secure tunnel.
Once I set up system-wide DNS-over-TLS, I almost immediatly remembered about NTP not being secured in any way at all. Unfortunatly, it seems that there is no standart way to tunnel NTP over TLS or any other tunnel. There is some "secure" protocol, but they do their own thing, which I genuanly hate in protocols when they do that instead of just be tolerant to be transported over different transport then raw UDP.
Matt, can you show use (if not already) how to modify extracted firmware? I have an IP camera that I want to add RTSP onto (if at all possible) when I get better at it.. Great video by the way! Thanks for sharing!
@@gvtemberg Yes I was actually looking at that earlier, I just need to check tomorrow if the camera is supported . . although I would still love to try modify the firmware myself at some stage as an exercise 👍
Theres already an artist with the name, who gets over 500K monthly listeners on Spotify alone. If you think you've come up with an idea, chances are someone who is smarter than you and I combined has already thought (and acted on) it
I wonder if this has something to do with insecure random number seeding based on time. Like using insecure random numbers to get a device to set its root password to something maybe... Just an idea (Only 8 mins into the video)
It intercepts all network traffic, including the outgoing traffic because it acts like a router. Mitm-router forwards these requests to the actual router, but keeps a log of all the network packets, frames, segments and all the other network traffic.
@hankpeterson628 What does interception mean in this case? Is the RaspberryPi just broadcasting the request to all devices in the network and waiting for the first one to respond? Why would it pick this router over the wan one? Is there anything you can link me that will let me read up more on this?
@@Izaeah no, it does not broadcast the requests, rather at startup it searches for the default gateway (either set up manually or dynamically found when it does a dhcp discover. The dhcp server can tell the client what the gateway device is). If you assign the mitm router as your gateway, the devices will send the routable traffic to that router, which in turn forwards it to the actual router.
@@hankpeterson628 I see! So correct me if I am wrong, but does that mean if you don't have access to configuring the network that the client connects to then you can't intercept the traffic? Or do you just run mitm router with the same ssid and password as the default gateway?
@@Spudz76 timezone doesn't change the date, time zone changes the offset from GMT / UTC which when you go past midnight, it becomes the next day. that is how days work. which timezone do you have to change to in order to go back or forward to the 1st of jan?
Dates are absolutely a measure of time, just like how kelvin, celsius and fahrenheit are all measures of temperature, dates, hours, minutes and so on are all measures of time. Dates aren't quite as uniform a measurement though, but it is still a time.
Matt, not only the content of your videos is always entertaining, but I really like the attention you pay to make your screen readable by zooming in. Truly commendable!
He also keeps the audio consistantly at a nice healthy level with no obnoxious transients or dips.
Great video but if my kids figure out how to mitm the NTP protocol to avoid parental controls, they can have all the screen time they want 😂
I guess mine did take the first step towards that by manipulating date and time in bios before I realized to lock it down (at least slows them down). 😁
Really awesome demonstration of this bug class! I'm really surprised this is my first time hearing of attacking the NTP protocol.
I saw security cameras (or rather a setup with a box to which cameras connect into) which writes and overwrites video on disk according to its realtime clock timestamp. And it is also uses plain NTP without even an option to use secure NTP. It also sends everything back into China which is "justified" by them making an app for smartphones from which you can push buttons and get access to your data, because there is no other way to just get it from the box even if you are on the same network with it, but I digress :)
I don't think this is required for access control systems. My neighbour had a fancy system installed, they went on holiday and someone robbed them of everything. All doors and gates were opened and no alarms went off. I mentioned to them in passing the value of old school lock and keys and he agreed.
Those are almost always an insider threat... Meaning that the security company or someone who works with them are the burglars.. Have your friend investigate the company its affiliates and employees past and present.
Just curious, we reached out via email for two systems we need "hacked" but never heard back.
NIST offers authenticated NTP.
oh yeah there are secure alternatives, they are just rarely used.
Go look at how this works. You literally have to send NIST a letter. They return a symmetric shared key you have then to install on your systems. That's not viable. Just because you have to keep that symmetric key really secret.
They are not as simple and elegant as just plain DNS over any other transport, which can be TLS but it can be anything else. Under Linux with GNU libc, you can edit /etc/resolv.conf (and make sure that nobody else edits it, dhcpcd is the first suspect) adding `options use-vc` line, which means that every process who calls to standard `getaddrinfo` would make DNS connection over TCP rather sending UDP packets. After that you just set up stunnel that will listen on localhost TCP port 53 and connect to 853 port of DNS-over-TLS supporting server. That's how easy it is, you don't need any DNS-specific code, you just treat it as any other plaintext protocol that needs to be wrapped into secure tunnel.
Once I set up system-wide DNS-over-TLS, I almost immediatly remembered about NTP not being secured in any way at all. Unfortunatly, it seems that there is no standart way to tunnel NTP over TLS or any other tunnel. There is some "secure" protocol, but they do their own thing, which I genuanly hate in protocols when they do that instead of just be tolerant to be transported over different transport then raw UDP.
Matt, can you show use (if not already) how to modify extracted firmware? I have an IP camera that I want to add RTSP onto (if at all possible) when I get better at it.. Great video by the way! Thanks for sharing!
One option would be to flash openipc to your camera (if it is supported). I think it’ll be easier and openipc is open source!
@@gvtemberg Yes I was actually looking at that earlier, I just need to check tomorrow if the camera is supported . . although I would still love to try modify the firmware myself at some stage as an exercise 👍
Untrusted.... cool rock band name.
Theres already an artist with the name, who gets over 500K monthly listeners on Spotify alone.
If you think you've come up with an idea, chances are someone who is smarter than you and I combined has already thought (and acted on) it
There's only two events to chase. So what about mcast?
What about Precise Time Protocol? Is this have encryption or we can manipulate systems like that? Great video always.
I dont think PTP can be spoofed the same way that NTP as it is continous and has TPM integration.
will this also work with expired ca certificates?
I wonder if this has something to do with insecure random number seeding based on time. Like using insecure random numbers to get a device to set its root password to something maybe... Just an idea (Only 8 mins into the video)
That's a spicy title 😅
gotta do what you gotta do, at least he isn't uploading useless info fwiw
How does MITM-Router intercept the actual NTP request?
It intercepts all network traffic, including the outgoing traffic because it acts like a router. Mitm-router forwards these requests to the actual router, but keeps a log of all the network packets, frames, segments and all the other network traffic.
@hankpeterson628 What does interception mean in this case? Is the RaspberryPi just broadcasting the request to all devices in the network and waiting for the first one to respond? Why would it pick this router over the wan one? Is there anything you can link me that will let me read up more on this?
@@Izaeah no, it does not broadcast the requests, rather at startup it searches for the default gateway (either set up manually or dynamically found when it does a dhcp discover. The dhcp server can tell the client what the gateway device is). If you assign the mitm router as your gateway, the devices will send the routable traffic to that router, which in turn forwards it to the actual router.
@@hankpeterson628 I see! So correct me if I am wrong, but does that mean if you don't have access to configuring the network that the client connects to then you can't intercept the traffic? Or do you just run mitm router with the same ssid and password as the default gateway?
if you are on the same subnet you can ARP poison to perform a similar mitm attack. This tool is just the easiest way to setup a research network.
make a video on your arch setup pls
Awesome stuff!
Great explanation.
please make more videos like this
jan 1 is a date, not a time, time would be like between 8 and 9 pm etc
😂
weird, then why can a "timezone" change what date it is. dates are a coordinate system for time. you seem to be confusing "time" with "time of day".
@@Spudz76 timezone doesn't change the date, time zone changes the offset from GMT / UTC which when you go past midnight, it becomes the next day. that is how days work. which timezone do you have to change to in order to go back or forward to the 1st of jan?
@@johng.1703 stahp
Dates are absolutely a measure of time, just like how kelvin, celsius and fahrenheit are all measures of temperature, dates, hours, minutes and so on are all measures of time. Dates aren't quite as uniform a measurement though, but it is still a time.
Damn won't we get to know about the exact bug tho?
Great video
One day my disclosures will return a bounty, atleast I have CVEs to my name :) unauthenticated remote code execution just isnt enough some times :P
who asked
@@JoeMamaTheSecond its called engagement and talking on topic of bug bounties?
@@semaja2 blog it
Awesome presentation Matt … 🦾🙏