Termineter Version 1: Come With Me If You Want To Pwn…
Almost six years after its initial release, RSM has published version 1.0 (and shortly thereafter a couple of bug fixes) of its Open Source Smart Meter Penetration Testing Framework dubbed “Termineter”. The framework has been an integral part of the Smart Meter assessment portion of the RSM AMI testing methodology and this release has been the culmination of years of improvements on the original version.
Installation is easier than ever given that Termineter is now distributed through the Python Package Index. Termineter can be installed through pip with the command python3 -m pip install termineter. While support for Python 2.7 has been removed, Termineter will still work as expected on Windows systems.
This version comes with 17 modules for interacting with the meter at both high and low levels. Some of the high level modules include the ability to brute-force logins (brute_force_login) and set the meter’s operating mode (set_meter_mode). Lower level modules that allow more control over the interaction include the read and write table modules (read_table and write_table modules respectively). This combination of modules allows the Termineter user to interact with the meter and send both complex and simple data requests.
One of the brand new features is the integration of an equally brand new and separate component: Protocon. This is an optional dependency for Termineter, that when installed exposes the protocon command. Protocon is a separate utility that allows easily sending and receiving binary data over what is generally a socket interface. In this case, Protocon integrates with Termineter to share the established serial connection and allow the user to more easily send and manipulate raw data to the meter. This was previously possible with the ipy command, but required a bit more effort and familiarity with the API. Protocon also has the added benefit of supporting simple resource scripts so the raw data can easily be repeated at a later time or another meter. Protocon is a command line framework similar to Termineter but lacking the modular architecture in favor of connection drivers of various types such as TCP, UDP and Serial.
C12.18 Review
A basic understanding of the C12.18 protocol and how it is used by Termineter to interact with the meter is important and helps to illustrate how various modules can be used. ANSI C12.18 requests are referred to as “Services” and nine are defined in the official standard. The two most important services are the Read and Write services which are used by the software to read and write the table data for the various C12.19 tables that the meter provides. The ANSI C12.19 standard is much larger than it’s C12.18 counterpart and defines the data structures of these tables.
The typical C12.18 connection is established in the following two phases (each of which involves sending two service requests).
- Negotiation Phase
- Identification Service (0x20)
- Negotiate Service (0x60-0x6B)
- Authentication Phase
- Logon Service (0x50)
- Security Service (0x51)
A brand new addition in this release, the get_identification module parses the information from the Identification Service. This response from the meter contains various pieces of version information and an optional list of available features. This takes place before any other service requests are issued and provides the Termineter user a little insight regarding the connected Meter. Finally, in this first phase, the Negotiate Service is issued where the communication channel parameters can be changed from their default values.
The second Authentication phase is consists of what is generally referred to as “logging in”. The Logon Service consists of the User ID and Username. Checking the response to this request can often lead to User ID enumeration, which is exactly what the enum_user_ids module does. Since the Logon Service is issued prior to the password being sent in the Security Service, the meter has an opportunity to respond with an error code preemptively before any password is sent. This is something that users should try before executing a brute-force attack.
Demonstration
The following Asciinema demonstration shows the general process (albeit sped up significantly) of brute-forcing a weak password after enumerating a valid User ID.
Termineter Demonstration
Termineter is available on RSM’s GitHub page.
