SkyLine
  • SkyLine | Introduction
    • Module Overview
    • SkyLine's Development
    • Skyline's Reason
    • SkyLine Syntax
    • SkyLine Concepts
      • Concepts | Modes
  • SkyLine | Technologies
    • Module Overview
    • REPL
      • REPL - Basic usage
      • REPL - Console Design
      • REPL - Commands
    • SLC
      • SLC - What is it
      • SLC - Use cases
      • SLC - Lexical Analysis
      • SLC - Intro To Development
      • SLC - Error System
  • SkyLine | Theory
    • Module Overview
    • Theory | Type Systems
      • Objects | Strings
      • Objects | Integers & Floats
  • SkyLine | Development
    • Module Overview
    • Development | Hello Integers?
  • SL | Hybrid Development
    • Module Overview
    • Hybrid Projects | Advancing
    • Hybrid Projects | Wrapping
    • Hybrid Projects | Using SLC
  • SkyLine | For Abusers
    • SL Abuser | Security Research
    • SL Abuser | Module Overview
    • SL Abuser | Abusing Helps
  • SkyLine Experiments
    • Introduction To Module
      • Caster - IoT Manipulation With SkyLine
        • Caster In Real World Scenarios
          • Cracking The Grounds
        • Caster: Setting Up
        • Caster - Running Caster
        • Caster - Dev Manipulation
          • Caster - Console
          • Caster - Apple Devs
          • Caster - Amazon Devs
          • Caster - Google Devs
          • Caster - Roku Devs
      • SkyNeXt - Hacking The Skies
      • SkyLine - PwnLib
Powered by GitBook
On this page
  1. SkyLine Experiments
  2. Introduction To Module
  3. Caster - IoT Manipulation With SkyLine
  4. Caster - Dev Manipulation

Caster - Amazon Devs

Enumerating Amazon Devices

PreviousCaster - Apple DevsNextCaster - Google Devs

Last updated 1 year ago

This part of the manipulation chapter is dedicated to showing you what you can do with Amazon devices in Caster. This also shows you some of the basic details.

Note: Currently, the amazon manipulation module holds only one single command, but we will explain how you can get this data for this module and then explain how it works.

  • amazon-devdesc - A Cool thing about Amazon devices is that they use a UPnP server to query for device information, live information, stream information, and more. Well, the issue with this is that Caster just at the time of development did not want to include the UDP and SSDP sniffing modules that it used. For context, those modules were specific for Amazon devices and would search for anything on the port 6000And would also try to find any UPnP service URLs. Well, it was also found later that in order to query some services such as the Apple AirPlay RTSP server you need to use the device's UUID and with Amazon, this is just the case.

This command will do the same thing as all other commands, query or request resources from APIs but instead requires the UUID of the device you are targeting. So, here is how you can find that UUID on a standard Amazon FireStick-TV.

Step1: Open up wireshark

The first thing we need to do if our device is active is pop open wireshark, yeah, your best friend! when you are there, you can use Caster's module to find the IP address of an Amazon device. You need the IP of the device to make sure we are filtering for information.

So when we do that and filter the proper address, we may see some UDP packets like so.

Click through some of the UDP packets until you come across one that looks like the following.

We can see that this packet has some UDP data in it and it seems as if they are response headers from a request that went to the UPnP server. So, how do we properly format that? You could just go to wireshark, right click on the data field, select as data and then go from there- but if you want to use SkyLine for fun, then you an do the following.

  • 1: Copy the data so we have a brick of the UDP data.

485454502f312e3120323030204f4b0d0a55534e3a20757569643a37303238363
635362d656461372d333937322d386664302d6434396538366438386463633a3a7
5726e3a6469616c2d6d756c746973637265656e2d6f72673a736572766963653a
6469616c3a310d0a43414348452d434f4e54524f4c3a206d61782d6167653d3138
30300d0a4558543a200d0a53543a2075726e3a6469616c2d6d756c7469736372656
56e2d6f72673a736572766963653a6469616c3a310d0a4c4f434154494f4e3a2068
7474703a2f2f31302e302e302e3138353a36303030302f75706e702f6465762f373
03238363635362d656461372d333937322d386664302d6434396538366438386463
632f646573630d0a5345525645523a204c696e75782f342e342e3132302055506e
502f312e3020436c696e672f322e300d0a57414b4555503a204d41433d65633a32
623a65623a65373a36663a64333b54696d656f75743d33350d0a0d0a

  • 2: Set it into a variable on a notepad or something

set x := `485454502f312e3120323030204f4b0d0a55534e3a20757569643a37303238363
635362d656461372d333937322d386664302d6434396538366438386463633a3a7
5726e3a6469616c2d6d756c746973637265656e2d6f72673a736572766963653a
6469616c3a310d0a43414348452d434f4e54524f4c3a206d61782d6167653d3138
30300d0a4558543a200d0a53543a2075726e3a6469616c2d6d756c7469736372656
56e2d6f72673a736572766963653a6469616c3a310d0a4c4f434154494f4e3a2068
7474703a2f2f31302e302e302e3138353a36303030302f75706e702f6465762f373
03238363635362d656461372d333937322d386664302d6434396538366438386463
632f646573630d0a5345525645523a204c696e75782f342e342e3132302055506e
502f312e3020436c696e672f322e300d0a57414b4555503a204d41433d65633a32
623a65623a65373a36663a64333b54696d656f75743d33350d0a0d0a`;

Dont forget the damn semicolon.

  • 3: Run SkyLine --Repl

  • 4: Enter mode("pwn") as shown below.

  • 5: Throw your variable into the REPL

  • 6: Call HexDecode and encapsulate it inside of a println the statement finally throwing your variable in it, like so - println(HexDecode(x)) and then watch it decode.

And now, we have gotten the UUID and the full URL. Going back to Caster, we can plug our UUID into the option and have the information parsed properly.

pwn mode being set
Page cover image