In the first blog post about the Kankun smartplug, the Android application
was decompiled and the AES-256 bit encryption key was found. In this
blog post:
The network traffic between the mobile app and smartphone will be captured
The network traffic will be decrypted utilizing a script from Payatu
and the encryption key found previously
Plugging in the Kankun Smartplug and setting up the iphone app to talk with it
Connecting to the Wi-Fi SSID from a machine running Wireshark
Setting Wireshark up to monitor the network traffic
I’ll leave installing the iphone app to the manual that comes with the
plug. I’ll also leave monitoring network traffic with Wireshark to the
many great blog posts out there on the subject.
With Wireshark monitoring the network traffic, various activities can
be performed from the iphone application to the Kankun smartplug and
the packets captured.
Once traffic has been captured within Wireshark the UDP
packets can be copied as a hexstream and decrypted. In this blog post
I will utilize a script by “Payatu” to perform the decryption. There
is something that is not really covered specifically within the
Offensive IoT Exploitation course and is important to the success of
the decryption.
When UDP packets are copied as a hexstream from Wireshark, the
hexstream will include the whole UDP packet. As seen on the
User Datagram Protocol Wiki Page,
there is more to a UDP packet than just the data being sent to the
device. Source and destination ip addresses, packet size, checksum,
etc. are all part of the packet as well as the data. Within Wireshark,
when different sections of bytes are hovered over within a packet, the
status bar at the bottom of the screen will indicate the various
pieces of the packet. Moving toward the later bytes in the packet
reveals the “data” section. This is the section we are interested in
decrypting. This means that when the bytes are copied as a hexstream,
that the bytes will need to be trimmed down to only include the
data. This was confusing at first as I had forgotten about the
structure of a UDP packet and I didn’t anticipate Wireshark copying
the whole packet as a hexstream.
Decryption with Payatu’s kcrypt.py
As part of the Offensive IoT Exploitation course, the instructor
demo’s and provides a copy of a python script kcrypt.py. This script
is fairly straightforward in that it takes a series of encrypted
strings and an AES key and then proceeds to decrypt and print out each
of the decrypted strings. The script is reproduced below with the
various strings that were captured from the UDP packets:
After running this script using the AES key found in the Android
apps .so and the data that was captured from listening to the
traffic between the app and the device, the following results are
found:
After decrypting the data it is apparent as to the structure of the
commands that are sent to the device. Utilizing this information a
script could be created to mimic the functionality of the mobile app
and manipulate the device from a computer. In fact, that is just what
“0x00string” did with the Kankun controller script located
here. Configuring
the script with the proper ip and mac address of the device allows for
manipulation of the device just as though you were using the mobile
app:
Awesome! We can now control the device from a computer.
This particular exercise was quite fun. It was really exciting to see
the analysis of a device lead to the ability to remotely control it
from a computer.