* FINDING EPOS VIA HACKING LANS *
Ok, Here we go. Many people ask me how i manage to find EPOS and Building Access Control Systems, CCTV etc and to be honest, the answer is shockingly easy. However Im going to make this more complicated as most noobs find easy targets.
Finding IP Ranges
First I would walk around local industrial or commercial estates with my android phone, I would setup a wireless mapping tool such as wigle which allows me to identify networks with either weak security or open wifi networks. Sometimes you can walk into a business for a job interview and ask for the wifi key its as simple as that. The point is, most companies use different ISP’s which result in different IP address ranges. When you are connected I would google ‘myip’ and note down the ip address, you want as many IP’s as possible.
The next step would be to identify the IP range of the target by using either ripe.net or whois, this will give you a network block to scan.
Scanning the Ranges
Since now we have an IP range, we can start using a tool such as nmap and by using the following command ‘proxychains nmap -sV (IPRANGE or IPBLOCK) -p80,443,8080 -oG SCANNED.csv’ this will start to scan the ip ranges for open systems with a web panel, the main target we are looking for are vulnerable routers such as Netgear, Dlink, Linksys etc.
By now you should have a list of open devices that you can connect to via torbrowser (HIDE YOUR ORIGIN) you should now start going through the list and identify the type of device and version as you will use this information to find PUBLIC vulnerabilities.
Finding public exploits
Now you need to find Public exploits that match the device that you are able to access via the web browser. I would look for Unauthenticated exploits such as RCE and authentication bypass, you can look for other exploits too but you are looking to secure access to the device. Currently I would suggest looking at something similar to ‘https://www.exploit-db.com/exploits/42039/‘ however there are alot of other exploits, just mix and match to the device.
Exploring the LAN
Once you have secured access to the device, you should examine the dhcp list for devices connected to the lan, this will provide a MAC address and the IP address. You are looking for LAN based IP addresses such as 192.168.0.1 or 192.168.1.1. Now you will need to identify what kind of device is connected, this can be done through copy and pasting the MAC address into a MAC address lookup tool or through ;https://www.macvendorlookup.com/‘ This should give you an idea of what kind of device you are looking at, for example if you pickup a HP or an EPSON then chances are you are looking at a printer, and as each device has their own set of ports and services available, you need to identify each device on the LAN.
Again go through exploit-db and match the exploits to the devices to see if any potentially vulnerable devices exist. Once you have potential devices that could be vulnerable, you will need to setup port forwarding to these devices in order to access them from the internet. Find NAT settings and start creating rules, however do not replace the port you are using to connect to the router such as port 80, instead use port 81,82,83 etc otherwise you will lock yourself out of the router. I have done this on many occasions and my only resolution was the fact i enabled remote admin on another port. Now you should be able to test the various exploits against the internal devices.
By using this method I have found EPOS, CCTV, Entry systems, SCADA, Servers and Printers on LAN using the same password/login details as the router. Be creative.