Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Cybergibbons 🚲🚲🚲 Profile picture
@cybergibbons
May 15, 2022 25 tweets 6 min read Read on X
Scrolly
A friend's father had his PC taken over by scammers.... just doing a bit of forensics on it to work out what happened.

First sign is a download of amazon_security.exe which is actually Supremo Remote Desktop. supremocontrol.com
Image
Almost immediately followed by AweSun - another remote control tool. Image
Many months later, Anydesk is also installed. Image
Anydesk log - interesting name on that incoming session request.

Any "direct scam paid 3" on the connection flags? Image
Log files are a bit all over on Anydesk, but this inbound connection is from 103.220.18.194.

Kolkata, India.

shodan.io/host/103.220.1… Image
The IP has Sonicwall exposed to the Internet which is a bit odd.
AweSun logs show another Kolkata IP with SonicWall.

shodan.io/host/103.121.1… Image
I believe ad.roster.items in user.conf for Anydesk are recent sessions made.

That's a lot of sessions - is this a logged in account that lets us see what the scammers are doing? Image
Another sign they are trying to pretend to be Microsoft. Image
Unattended access password hash, maybe?

Anyone know how you crack these? Image
Opened History SQLite3 DB from Edge. Lots of money transfer stuff being done. Image
They do seem to have stored a couple of passwords in Edge's password safe. Not sure how to trivially access that from an image, might need to boot from an image.
Deeply tempted to spin this up on a danktop with a keylogger installed and grab all the passwords they are using.
The Anydesk session appears to allow switch_sides and filetransfer both ways. High risk for them?
Jesus, Anydesk is just a massive monolithic binary in Windows... going to be a real pain to reverse that hash algorithm.
cheesedog123 gives this hash. Salt changes each time.

ad.anynet.pwd_hash=c81e58dc07bfb2dc42e5bffd47f25d7d17d870e673895bee99b36d6c28bd3960
ad.anynet.pwd_salt=2170a3c5bfd1728bb098f4fdcabfd6ea
Ah, the Raspberry Pi Linux .deb looks like it's a lot easier going. Image
Ok, SHA256 constants.

Yes, I am so sad that I can eyeball these now. Image
Surprised no one else has looked into this before.

Annoying that it's a monotlithic binary, some imports would make this much easier. Image
Thanks to @LennertWo and a memory dump into this function from Frida and we have the hash function worked out.

It's sha256(password + null + salt)

I thought I tried that but must have made a mistake. Image
I think we can coerce hashcat into doing this by putting a null at the beginning of the salt...

One moment please.
Yep - just put the null on the start of the salt.

hashcat --hex-salt -m 1410 anydesk.txt dict.txt Image
Ok - parallel to this, I've pulled the passwords from Edge. They are the same and of the form Word123.

They used the user's email address on several money transfer platforms.

The pass works.
I now have the Anydesk password as well.

longerword123

This is falling apart quite quickly.
I have a train to catch, back later!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Cybergibbons 🚲🚲🚲

Cybergibbons 🚲🚲🚲 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cybergibbons

Cybergibbons 🚲🚲🚲 Profile picture
May 18, 2024
A quick comment thread on the NTSB prelim MV Dali report.

The ship had a pretty typical 6.6kV HV/440V LV power system.
Image
Image
They were operating with the HV bus-tie breaker closed. This is, as far as I know, totally normal on most non-DP (dynamic positioning) vessels. Image
Operating using a single transformer and with the LV bus-tie closed was not something I remembered doing too often.

We'd normally have both transformers running and the LV bus-tie open.

You'd typically have about 2MW of load, and it was good to share it over both transformers
Image
Image
Read 16 tweets
Cybergibbons 🚲🚲🚲 Profile picture
May 3, 2024
The UK mains electricity system in houses is a bit unique.

We have what is called a "ring main" where a large number of sockets are connected in a loop. The loop can provide 32A, but each individual plug can only do 13A.

So we have fuses in our plugs to limit current. Image
The idea of these is that they limit the current to each thing you plug into your ring main. The plug/socket can only handle 13A and not 32A, so you need something to limit it.
At the same time, everything you plug into a ring main should be CE certified and have a suitably sized internal fuse. The internal fuse will be smaller than the plug top fuse.

The idea is that the fuse closest to the device with a fault fails.

This is called "discrimination". Image
Read 7 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Apr 28, 2024
Found a really quirky route to the OT side of a ship this week.

The corporate machines were on the 10.0.73.0/24 range.

When ARP scanning on this network, I could see a host on 192.168.1.45 - odd.

So I set my IP to 192.168.1.123 and scan 192.168.1.45 - a Windows machine.
It's called CHIEFPC and it's a HP.

Current corp machines are Lenovo. And not named by role.

I head down to the chief's office and find that his old HP machine is being used for the CCTV onboard the vessel - which is on 192.168.1.0/24.
It's just been connected to the nearest socket.

It's logged in and is local admin, I dump SAM and SYSTEM, put on a share and head back to my machine.

Extract accounts/hashes using secretsdump, and crack with john-the-ripper locally.
Read 15 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Apr 9, 2024
A thread of the variety of products on ships that allow remote monitoring of critical systems on ships.

Just really want to put to bed the idea that systems are always air gapped.

Kongsberg offer multiple systems allowing remote monitoring of ICMS.
kongsberg.com/globalassets/m…
Image
Wartsila NACOS, another of the very popular ICMS, allows remote maintenance of their systems.

wartsila.com/docs/default-s…
Image
Hyundai as part of the Hi-whatever ICMS allow remote monitoring.

hd-marinesolution.com/eng/CMS/Conten…
Image
Read 5 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Apr 3, 2024
I broadly agree with this thread, but there's a few aspects where I think the scale and magnitude of the issues on modern ships is maybe not clear.

The number of modern vessels that have all their critical safety systems air gapped is getting lower and lower.
What do I mean by critical systems?

Steering (which, oddly, depends on the type of vessel)
Propulsion (which can be the same as steering)
Power management system
ECDIS (electronic charts, which may or may not directly impact navigation)
Let's look at a few of the times we've found air gaps eroded on vessels.

This is the console used to control dynamic positioning on an offshore support vessel. This is designed to hold position, with control over propulsion and steering. Image
Read 26 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Mar 30, 2024
Ships might be "wide open" to cyber attack, but in my opinion, this shows a lack of nuance around what is being attacked, what the impact would be, and if it would be stopped by the crew.
I would say that IT security - the corporate stuff - in maritime is as bad as it can get.

Getting from IT to OT - operational technology, the actual moving bits - is much harder.

(or just to OT, direct, another topic)
We've ended up in the situation where nearly all ships differ to others.

I think this makes ensuring they're secure hard. We need to check each one.

Conversely, it means that attacking them is hard, as you need to understand each one.
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(