Re: Yes, trying to hack a remote control

["Brian Kerley" <kidgenius () gmail com>]

Dave: you're right that I did the really basic, simple scan, so I will
do the more in depth stuff later tonight.  Quick question though.  If
I attempted a telnet into that port, and it asked for a username/pass,
does that mean the service is actually running on that port?

Geoff: Hopefully it isn't just for firmware updates....otherwise it
might have to get a little crazier, like somehow snagging the firmware
update and seeing if I can use a resource editor on it to change
anything, and then upload a modified firmware to the remote.

Everyone else, I will perform upload the scan later tonight when I get a chance.

Thanks everyone!  I got a lot more replies than I thought I would :-)

On 2/8/07, Dave Moore <dave.j.moore () gmail com> wrote:
> When nmap gives you the name of a service, that name is in many cases
> only the most /common/ protocol to use a port, not the one that uses
> it exclusively. In other words, whichever port nmap identified as
> 'discard' is not necessarily running anything to do with discard
> (whatever that is)
>
> The latest versions of nmap have a feature whereby you can run scans
> that will actually connect to the port in question and fetch banners
> and anything else it can, and make a determination as to what is
> running on the port in question with this data, which is far more
> reliable.
>
> I'm assuming here that you're using a basic nmap scan, correct me if
> I'm wrong. But if you are, then the open ports nmap identified as
> telnet and ftp may not even be telnet and ftp. When you get into niche
> stuff like this, I'd not be inclined to take nmaps word for it.
>
> I suggest you download the latest version of nmap, and perform more
> intensive scans, such as the one mentioned above. If you're still
> having trouble, you should post port numbers and raw banner data (This
> can be garnered by use of the service scan mentioned above with one or
> two -v flags, for verbosity)
>
> I've got Nmap version 4.21ALPHA1 atm, I would probably start with this:
>
> nmap -sV -v -v -p 1-65535 -P0 169.254.1.2
>
> That -p switch is to scan all known ports, which nmap does not do in a
> default scan.
>
> YMMV and all that.
>
> Sorry if I just told you a bunch of stuff you already knew, but this
> is the basics list :)
>
> Dave
>
> On 2/7/07, Brian Kerley <kidgenius () gmail com> wrote:
> > Ok, you guys are going to probably think I'm the biggest loser, but here's
> > what's up.
> >
> > I've got a new Harmony 1000 remote from logitech. It's a new touchscreen
> > remote that has just came out.  Of course, I can't leave well enough alone
> > and would like to take a look at the inner workings of this thing.  That's
> > where it gets difficult and I'm hoping someone might be able to help.
> >
> > The remote connects via usb using a Belcarra USB Lan Link.  The remote gets
> > assigned an IP address of 169.254.1.2  I've scanned it and it shows that it
> > is running both telnet and ftp (as well as another service called "discard"
> > according to nmap).  So I've tried to telnet/ftp into it using a various
> > combination of passwords and usernames.  I've also tried to do a dictionary
> > attack, but the remote shuts the service down after so many attempts.  I've
> > also tried using both Cain and Wireshark to analyze the packets being sent
> > to the remote during an update that is performed by the included software.
> > I got a lot of data, but I can't seem to find any plaintext passwords or
> > usernames in the packets.  The software running on the computer is java, and
> > the remote's software might be java as well.
> >
> > Do you guys have any ideas on how I might be able to get into this thing?
> > There are also a lot of guys running linux that have other logitech remotes,
> > and of course are high-and-dry right now about how to update without running
> > a virtual environment.  If I can figure how to get in over one of these
> > services, then maybe it can be of some help to those guys.
> >
> > Thanks,
> > Brian
> >
>
>
> --
> ==========
> A human being should be able to change a diaper, plan an invasion,
> butcher a hog, conn a ship, design a building, write a sonnet, balance
> accounts, build a wall, set a bone, comfort the dying, take orders,
> give orders, cooperate, act alone, solve equations, analyze a new
> problem, pitch manure, program a computer, cook a tasty meal, fight
> efficiently, die gallantly. Specialization is for insects. -Heinlein
>
> This message copyright (c) 2004-2007 David J Moore