ansichart

Vending Machine On a Cisco Network.

18 posts in this topic

* About a year ago, I made a post similar to this, but I have dived much deeper in this... and instead of bringing up an old thread, I figured I would just make a new one. Just in case if you were wondering...

At my university we have vending machines that are connected to a network. These vending machines are equipped with a magnetic stripe card reader. The university has a special currency system called MavCash. The students may put more money on the card by going to a special machine that inputs the card and the money you want to deposit, it then spits the card back out. I am positive that the currency is NOT kept on the cards, but rather on a network.

Anyway, I hooked my laptop into the network and started to capture data using Wireshark for a duration a little less than a minute. I got a good sample of some of the data on the network.

Here are some of the different protocols I discovered while passively capturing data:

ARP - Address Resolution Protocol (of course)

EIGRP - Enhanced Interior Gateway Routing Protocol

IGMP - Internet Group Management Protocol

PIM - Protocol Independent Multicast

CDP - Cisco Discovery Protocol

STP - Spanning Tree Protocol

The Cisco Discovery Protocol seemed to be the most interesting.

I then unplugged a vending machine from the network. As soon as I unplugged the vending machine from the network, the LCD display screen above the magnetic stripe card reader displayed "Card Use Disabled." I started up my DHCP daemon on my laptop, and then plugged the vending machine directly to my computer. Wireshark didn't capture any DHCP requests, or anything at all. So this must mean that the vending machine passively waits for the network to assign it an IP address.

I then did some reading on some of the Cisco protocols, and it looks like the CDP protocol is the key to this problem. I believe if I have a CDP daemon running on my laptop, it will assign an IP address to the Vending machine. Then the Magnetic Stripe Card Reader should be enabled. Think this will work? I'm going to have to try this later tonight, probably not a good idea to do this during the day.

Anyway, if you guys have any ideas for me, let me know.

----

I have attached the Wireshark dump (libpcap) as vending.txt, it wanted a trusty file extension. Just open it with Wireshark, or view it with tcpdump, or whatever you prefer.

My laptop's MAC address: 00:16:d4:12:b7:be

You will see that my laptop sent some different packets:

DHCP requests

ARP query packets "Who has X? Tell Y"

a IGMP V2 membership report packet

an ARP - Gratuitous packet,

a MDNS packet (Zeroconf) (thinking I should disable this)

---

vending.txt

Edited by ansichart
0

Share this post


Link to post
Share on other sites

My uni has something like this haven't hacked around with it but I am eagerly awaiting any more info. Trem, Sub does this sound like a good after 2600 activity?

0

Share this post


Link to post
Share on other sites
My uni has something like this haven't hacked around with it but I am eagerly awaiting any more info. Trem, Sub does this sound like a good after 2600 activity?

Absolutely.

0

Share this post


Link to post
Share on other sites

Sounds like an excellent toy to play with. I may have to go run up to one of the many vending machines here and hook my laptop up to see what I can manage to pull from it later tonight as well, I'll return with what I find.

0

Share this post


Link to post
Share on other sites

I got something similar. I work at a large public transportation facility and the Vending machines there can take credit cards. Well in passing one day I happend to notice something sticking out from the back of the machines. I look closer and it is an antenna. There is an antenna hooked up to these machine, I assume for credit card authentication. I looked further behind the machines and found no other network connections so I am assuming that this is either hooked into the facilities free wifi or it is some kind of celluar communication. I got video of it, once I can get them off my phone I shall show.

0

Share this post


Link to post
Share on other sites

Well guys, I have the solution. http://www.yersinia.net/

I almost orgasmed when I saw everything it could do. I'm going to have to try this out later. I will let you guys know what I find.

0

Share this post


Link to post
Share on other sites
I then unplugged a vending machine from the network. As soon as I unplugged the vending machine from the network, the LCD display screen above the magnetic stripe card reader displayed "Card Use Disabled." I started up my DHCP daemon on my laptop, and then plugged the vending machine directly to my computer. Wireshark didn't capture any DHCP requests, or anything at all. So this must mean that the vending machine passively waits for the network to assign it an IP address.

It's more likely that the machine sends out DHCP requests when it is starting up.

I then did some reading on some of the Cisco protocols, and it looks like the CDP protocol is the key to this problem. I believe if I have a CDP daemon running on my laptop, it will assign an IP address to the Vending machine. Then the Magnetic Stripe Card Reader should be enabled. Think this will work? I'm going to have to try this later tonight, probably not a good idea to do this during the day.

Since CDP is a proprietary protocol, it is unlikely that the manufacturer of the vending machine would add CDP support. CDP is used more for sharing information between routers and switches. I would get a laptop with 2 ethernet interfaces, put it between the vending machine and the network, restart the vending machine, and do bridged sniffing with ettercap. That should tell you all you need to know about it. Hopefully they've set up some kind of encrypted tunnel between the vending machines and the server, but I wouldn't be suprised if the account info was going out in plaintext.

My uni has something like this haven't hacked around with it but I am eagerly awaiting any more info. Trem, Sub does this sound like a good after 2600 activity?

Absolutely.

I'm up for it.

0

Share this post


Link to post
Share on other sites

It's most likely as sub_zenith said. The idea that a non-cisco card reader would use cisco proprietary protocols is relatively contradictory, just by its nature.

Now, if you were to use a Nettools (or similar device... I use a nettools series II) or a 2-ethernet interface laptop to do inline capture, and cycle the machine's power while capturing, you'll probably get all the data you need and more (just as sub_zenith was saying)

I suggest using your card to purchase something and seeing the handshake process (if there is one.... I've heard of scarier things). Maybe you'll be able to mimic and transmit edited data? I'm planning on doing a senior design project about our system on campus (similar method of adding money to a card and paying for stuff).

Edited by Minion
0

Share this post


Link to post
Share on other sites

When I looked through your packet capture I didn't see anything to out of the norm. Just routers updating topologies and converging.. The only thing strange is the one host AttBell, who sends a massive amount of ARP requests between packets (appx) 35-80. All of them are for different destinations, and I see some packets being Administratively Filtered.. so probably ACL's catching it. Another thing is packet 29... the DHCP transaction request. It is requesting a strange network IP (compared to the rest i'm seeing) of 192.168.0.100 and the hostname is Ansitop. Yea so unless one of those two are your prizes, I don't see any kind of traffic that could possibly be from a vending machine...

0

Share this post


Link to post
Share on other sites
My laptop's MAC address: 00:16:d4:12:b7:be

You will see that my laptop sent some different packets:

DHCP requests

ARP query packets "Who has X? Tell Y"

a IGMP V2 membership report packet

an ARP - Gratuitous packet,

a MDNS packet (Zeroconf) (thinking I should disable this)

Another thing is packet 29... the DHCP transaction request. It is requesting a strange network IP (compared to the rest i'm seeing) of 192.168.0.100 and the hostname is Ansitop. Yea so unless one of those two are your prizes, I don't see any kind of traffic that could possibly be from a vending machine...

"ansitop" is my laptop's name. I really should have disabled the dhcp client.

Anyway, I haven't messed with it much now. Finals are coming up and I am trying to catch up on the material being covered.

0

Share this post


Link to post
Share on other sites

Im going to sound repetitive here but. You should really read up and learn more of cisco's protocols and routing protocols as well. All you've done is found out what kind of network your school is running. I would google around for information on the card reader, what kind of protocols it runs, how it works, or anything on it. I like the bridge sniffing stated above as well. That will give more of an indication on whats really happening. See if the card reader is running tcp/ip, netbios, or something propietary. Is it sending tcp or udp packets. Is it encrypted or plain text. Is it even the card reader or the vending machine itself. Just things to think about.

0

Share this post


Link to post
Share on other sites

This sounds like an interesting experiment and something I'd be interested in as well. Keep us updated...

0

Share this post


Link to post
Share on other sites

allow me to simplify:

1. choose item

2. slide card

3. wait for handshake and the check for available funds

4. After sufficient funds are acknowledged, and before machine can send the deduct amount from the server, unplug the ethernet cord

5. Free candy til they check the logs the next day and find the incomplete transaction

0

Share this post


Link to post
Share on other sites
allow me to simplify:

1. choose item

2. slide card

3. wait for handshake and the check for available funds

4. After sufficient funds are acknowledged, and before machine can send the deduct amount from the server, unplug the ethernet cord

5. Free candy til they check the logs the next day and find the incomplete transaction

The Vending Machine probably "checks" for sufficient funds by charging the account, then awaits the servers confirmation before vending.

Edited by chown
0

Share this post


Link to post
Share on other sites

Do the vending machines you have plug directly into an ethernet port or a phone jack?

If it's an ethernet port, it's most likely not ethernet at all. Even if so, they're definitely not on the same subnet as any neighbouring rogue ethernet ports you can jack into. Not to mention, there's no way of frauding or getting free shit, period. The worst you could do (in order of difficulty) is:

  1. sniff card data for later replay/spoofing;
  2. on-the-fly traffic intercept & modify to charge yourself cheaper shit than you're actually buying;
  3. reverse-engineer the protocol and set up a fake server.

I've played around with this at my university--and been successful (I got physical access to a back room--which has since been secured, hmm I wonder why...). As it turns out, on our network, the raw card track data is sent over the network unencrypted using some crazy proprietary protocol (simple enough but very difficult to tamper with).

Basic network map:

VENDING MACHINE --CARD INTERFACE-->--SERIAL--> SERIAL-TO-ETHERNET ADAPTER --ETHERNET--> HUB/SWITCH --> SERVER

What you'd need to do is get access to said hub/switch. Good luck. Both the hub and adapter are hidden away in a switch room.

BTW Cisco would have nothing to do with anything. The interface between magcard reader and Coke machine is contracted out, usually to Diebold.

Encryption is not usually needed, since traffic is impossible to intercept without huge efforts.

To be sure for yourself that the traffic you're seeing is or is not from the vending machine, read the data on your card, and ngrep for it.

Edited by mobilec
0

Share this post


Link to post
Share on other sites
allow me to simplify:

1. choose item

2. slide card

3. wait for handshake and the check for available funds

4. After sufficient funds are acknowledged, and before machine can send the deduct amount from the server, unplug the ethernet cord

5. Free candy til they check the logs the next day and find the incomplete transaction

The Vending Machine probably "checks" for sufficient funds by charging the account, then awaits the servers confirmation before vending.

Indeed. However...

The protocol works as such:

  1. Send card data;
  2. Receive confirmation ("Insufficient funds"?);
  3. Send purchase item # & vend;
  4. Receive & display account balance;

Therefore, no transaction is made until you select an item on the machine (i.e. not all items are priced the same).

You're on to something d0p3d4n. I'll give this a try in the next couple days and post results.

Edited by mobilec
0

Share this post


Link to post
Share on other sites

If it is so, then it's a seriously flawed system.

Ideally the vending machine would only vend after requesting & receiving explicit confirmation from the server that it has permission to do so.

i.e.

• The vending machine sends a request to purchase item A using account N to the server,

• the server verifies account N has sufficient funds available, deducts the cost of item A,

• then sends permission to the vending machine to vend away.

Of course, this wouldn't stop a "man in the middle" spoofing server responses... unless the communications were (properly) encrypted.

Edited by chown
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now