Click here to load reader

Destroying Router Security - NNC5ed

  • View
    3.052

  • Download
    0

Embed Size (px)

Text of Destroying Router Security - NNC5ed

  1. 1. About us... Destroying Router Security NNC5ed2 Meet our research group lvaro Folgado Rueda Independent Researcher Jos Antonio Rodrguez Garca Independent Researcher Ivn Sanz de Castro Security Analyst at Wise Security Global.
  2. 2. Main goals Destroying Router Security NNC5ed3 Search for vulnerability issues Explore innovative attack vectors Develop exploiting tools Build an audit methodology Evaluate the current security level of routers
  3. 3. State of the art Previous researches Destroying Router Security NNC5ed4
  4. 4. State of the art Previous researches Destroying Router Security NNC5ed4
  5. 5. State of the art Previous researches Destroying Router Security NNC5ed4
  6. 6. State of the art Previous researches Destroying Router Security NNC5ed4
  7. 7. State of the art Previous researches Destroying Router Security NNC5ed4
  8. 8. State of the art Previous researches Destroying Router Security NNC5ed4
  9. 9. State of the art Real world attacks - Example 1 Destroying Router Security NNC5ed5
  10. 10. State of the art Real world attacks - Example 2 Destroying Router Security NNC5ed6
  11. 11. Common security problems Services Too many. Mostly useless. Increases attack surfaces Insecure Destroying Router Security NNC5ed7
  12. 12. Common security problems Default credentials Public and well-known for each model Non randomly generated Destroying Router Security NNC5ed8 45% 27% 5% 5% 18% User / Password 1234 / 1234 admin / admin [blank] / admin admin / password vodafone / vodafone
  13. 13. Common security problems Default credentials Hardly ever modified by users Destroying Router Security NNC5ed9 I don't remember what the password is. I have never changed it. * Gives you a post-it with the Wi-Fi password * Administrative password of... WHAT? Oh!, so we have one of those (routers)? Users' response when asked about router passwords Best-case scenario Worst-case scenario
  14. 14. Common security problems Multiple user accounts Also with public default credentials Mostly useless for users Almost always hidden for end-users Passwords for these accounts are never changed Destroying Router Security NNC5ed10
  15. 15. Common security problems Multiple user accounts Also with public default credentials Mostly useless for users Almost always hidden for end-users Passwords for these accounts are never changed Destroying Router Security NNC5ed10
  16. 16. Bypass Authentication Allows unauthenticated attackers to carry out router configuration changes Locally and remotely Exploits: Improper file permissions Service misconfiguration Destroying Router Security NNC5ed11
  17. 17. Bypass Authentication Web configuration interface Permanent Denial of Service By accessing /rebootinfo.cgi Reset to default configuration settings By accessing /restoreinfo.cgi Router replies with either HTTP 400 (Bad Request) or HTTP 401 (Unauthorized) But spamming gets the job done! Destroying Router Security NNC5ed12 Video Demo #1 Persistent DoS / Restore router to default settings without requiring authentication
  18. 18. Bypass Authentication SMB Allows unauthenticated attackers to download the entire router filesystem Including critical files such as /etc/passwd File modification is as well possible Erroneous configuration of the wide links feature Destroying Router Security NNC5ed13
  19. 19. Bypass Authentication SMB Allows unauthenticated attackers to download the entire router filesystem Including critical files such as /etc/passwd File modification is as well possible Erroneous configuration of the wide links feature Destroying Router Security NNC5ed13
  20. 20. Bypass Authentication Twonky Media Server Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router Download / Modify / Delete / Upload files. Misconfiguration of the service Destroying Router Security NNC5ed14
  21. 21. Bypass Authentication Twonky Media Server Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router Download / Modify / Delete / Upload files. Misconfiguration of the service Destroying Router Security NNC5ed14
  22. 22. Cross Site Request Forgery Change any router configuration settings by sending a specific malicious link to the victim Main goal DNS Hijacking Requires embedding login credentials in the malicious URL Attack feasible if credentials have never been changed Google Chrome does not pop-up warning message Destroying Router Security NNC5ed15
  23. 23. Cross Site Request Forgery Change any router configuration settings by sending a specific malicious link to the victim Main goal DNS Hijacking Requires embedding login credentials in the malicious URL Attack feasible if credentials have never been changed Google Chrome does not pop-up warning message Destroying Router Security NNC5ed15
  24. 24. Cross Site Request Forgery Change any router configuration settings by sending a specific malicious link to the victim Main goal DNS Hijacking Requires embedding login credentials in the malicious URL Attack feasible if credentials have never been changed Google Chrome does not pop-up warning message Destroying Router Security NNC5ed15
  25. 25. Cross Site Request Forgery Change any router configuration settings by sending a specific malicious link to the victim Main goal DNS Hijacking Requires embedding login credentials in the malicious URL Attack feasible if credentials have never been changed Google Chrome does not pop-up warning message Destroying Router Security NNC5ed15
  26. 26. Cross Site Request Forgery Suspicious link, isn't it? URL Shortening Services Create a malicious website Destroying Router Security NNC5ed16
  27. 27. Persistent Cross Site Scripting Inject malicious script code within the web configuration interface Goals Session Hijacking Browser Infection Destroying Router Security NNC5ed17
  28. 28. Persistent Cross Site Scripting Inject malicious script code within the web configuration interface Goals Session Hijacking Browser Infection Destroying Router Security NNC5ed17
  29. 29. Persistent Cross Site Scripting Browser Exploitation Framework is a great help Input field character length limitation BeEF hooks link to a more complex script file hosted by the attacker http://1234:[email protected]/goform?param= Destroying Router Security NNC5ed18
  30. 30. Persistent Cross Site Scripting Browser Exploitation Framework is a great help Input field character length limitation BeEF hooks link to a more complex script file hosted by the attacker http://1234:[email protected]/goform?param= Destroying Router Security NNC5ed18
  31. 31. Unauthenticated Cross Site Scripting Script code injection is performed locally without requiring any login process Send a DHCP Request PDU containing the malicious script within the hostname parameter The malicious script is injected within Connected Clients (DHCP Leases) table Destroying Router Security NNC5ed19
  32. 32. Unauthenticated Cross Site Scripting Destroying Router Security NNC5ed20
  33. 33. Unauthenticated Cross Site Scripting Destroying Router Security NNC5ed20
  34. 34. Unauthenticated Cross Site Scripting Sometimes it is a little bit harder... Destroying Router Security NNC5ed21
  35. 35. Unauthenticated Cross Site Scripting Sometimes it is a little bit harder... Destroying Router Security NNC5ed21
  36. 36. Unauthenticated Cross Site Scripting Or even next level... But it works! Destroying Router Security NNC5ed22
  37. 37. Privilege Escalation User without administrator rights is able to escalate privileges and become an administrator Shows why multiple user accounts are unsafe Destroying Router Security NNC5ed23 Video Demo #2 Privilege Escalation via FTP
  38. 38. Backdoor Hidden administrator accounts Completely invisible to end users But allows attackers to change any configuration setting Destroying Router Security NNC5ed24
  39. 39. Backdoor Hidden administrator accounts Completely invisible to end users But allows attackers to change any configuration setting Destroying Router Security NNC5ed24
  40. 40. Information Disclosure Obtain critical information without requiring any login process WLAN password Detailed list of currently connected clients Hints about router's administrative password Other critical configuration settings Destroying Router Security NNC5ed25
  41. 41. Information Disclosure Obtain critical information without requiring any login process WLAN password Detailed list of currently connected clients Hints about router's administrative password Other critical configuration settings Destroying Router Security NNC5ed25
  42. 42. Information Disclosure Destroying Router Security NNC5ed26
  43. 43. Information Disclosure Destroying Router Security NNC5ed26
  44. 44. Information Disclosure Destroying Router Security NNC5ed26
  45. 45. Universal Plug and Play Enabled by default on several router models Allows application to execute network configuration changes such as opening ports Extremely insecure protocol Lack of an authentication process Awful implementations Goals Open critical ports for remote WAN hosts Persistent Denial of Service Carry out other configuration changes Destroying Router Security NNC5ed27
  46. 46. Universal Plug and Play Locally Miranda UPnP tool Destroying Router Security NNC5ed28
  47. 47. Universal Plug and Play Locally Miranda UPnP tool Destroying Router Security NNC5ed28
  48. 48. Universal Plug and Play Locally Miranda

Search related